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ANALYSIS  OF  PRODUCTION  SCHEMATA  BY  PETRI  NETS 

Abstract 

Petri  nets  provide  a  powerful  graphical  tool  for  representing 
and  analyzing  complex  concurrent  systems.  Properties  such  as 
hang-up  freeness,  determinacy,  conflict,  concurrency  and  dependency, 
can  be  represented  and  studied.  The  precise  relationship  between 
structural  and  behavioral  properties ,  and  between  local  and 
global  properties  is  not  well-understood  for  the  most  general  class 
of  Petri  Nets.  This  thesis  presents  such  results  for  a  restricted 
class  of  Petri  Nets  called  Free  Choice  Petri  Nets,  and  for  a 
corresponding,  class  of  Systems  called  Production  Schemata.  Results 
on  structural  constraints  guaranteeing  global  operation,  and  decom¬ 
positions  of  complex  systems  into  meaningful  parts,  are  also 
presented. 


This  report  reproduces  a  thesis  of  the  same  title  submitted  to 
the  Department  of  Electrical  Engineering,  Massachusetts  Institute 
of  Technology,  in  partial  fulfillment  of  the  requirements  for 
the  degree  of  Master  of  Science,  February  1972. 
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INTRODUCTION  AND  PREVIOUS  WORK 

The  subject  matter  of  this  thesis  is  part  of  what  can  be  called 
"Systemics,"  or  System  Theory,  the  science  that  analyzes  and  describes 
complex  systems,  patterns  of  interaction,  communication  between  parts 
of  a  system,  understanding  of  a  system  by  understanding  its  parts  and 
the  interrelati  n  of  parts,  and  the  like.  Operational  research  has  been 
applied  to  study  such  systems  numerically,  to  compare  operating  strate¬ 
gies,  to  optimize.  But  our  approach  is  structural,  i.e.  we  are  inter¬ 
ested  in  the  structural  relations  and  dependencies  of  the  system.  Thus 
we  have  notions  such  as : 

a)  Operations  A  and  B  are  concurrent,  that  is,  either  can  precede 
the  other,  they  may  overlap  in  time,  and  which  one  of  the  above 
situations  occurs  is  irrelevant.  In  some  way,  A  and  B  are 
temporally  independent. 

b)  Operation  C  must  wait  for  both  A  and  B  to  complete. 

c)  Operations  D  and  E  must  both  wait  for  C,  but  either  one  ex¬ 
cludes  the  other,  i.e.  if  D  takes  place,  E  cannot  and  vice 
versa.  This  is  called  a  conflict  situation,  and  related  to  it 
is  the  concept  of  decision  (to  resolve  conflict)  and  branching. 

d)  Deadlock  situation:  A  certain  operation  A  must  wait  (depends 
on  results  of)  operations  B,  but  operation  B  must  wait  for  A: 

The  system  hangs  up .  it  is  in  a  hang-up  state,  or  deadlocked. 

e)  Unpredictability  or  non-determinacy :  A  certain  operation  de¬ 
pends  on  the  results  of  either  A  or  B,  but  A  and  B  are  concur¬ 
rent:  the  final  result  may  depend  on  whichever  occurs  first. 

Petri  Nets  are  a  formal  mathematical  tool.  They  rely  on  a  graph¬ 
ical  representation  of  dependencies  such  as  those  described  above,  and, 
in  a  more  general  sense,  are  used  to  represent  a  system  described  by 
events  whose  occurrences  depend  on  certain  conditions  and  change  those 
conditions.  The  notions  of  deadlock  and  unpredictability  presented  above 
correspond  to  the  precisely  defined  properties  of  liveness  and  safeness 
of  Petri  Nets. 
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frhe  mathematical  analysis  of  Petri  Nets  in  their  full  generality 
has  yet  been  very  successful,  but  certain  restricted  classes  are 
now  well  understood.  This  thesis  shows  important  results  for  the  class 
of  Free  Choice  Petri  Nets,  a  subclass  of  Petri  nets,  and  solves  the 
deadlocks  and  unpredictability  problem  for  a  restricted  class  <j)£  systems 
called  Production  Schemata. 

The  concept  of  Systemics  as  a  science  is  due  to  Holt  ( 

Systems  Theory  Project),  who  extended  and  applied  the  ideas 
Petri  Nets  were  introduced  by  Petri  in  his  dissertation  in 
modified  to  their  present  form  by  Holt  in  1968  [10]. 

I 

The  idea  of  first  studying  a  limited  subclass  of  Petri 'Nets  to  ob¬ 
tain  a  better  understanding  of  more  general  Petri  Nets  is  due  to 
Genrich  [9],  who  introduced  Marked  Graphs  to  study  concurrency. 

Extensive  mathematical  results  about  a  subclass  of  Petri  Nets  known 
as  Marked  Graphs  have  been  published  by  Holt  and  Commoner  [12],  In  that 
publication,  Marked  Graphs  have  also  been  used  to  represent  a  subclass  of 
Production  Schemata,  namely  those  without  decision  branches  or  conflicts. 

Research  on  this  thesis  was  prompted  by  a  comparison  of  Rodriguez's 
Parallel  Program  Graphs  [19]  and  Marked  Graphs.  Both  formalisms  express 
the  same  kind  of  determinism,  but  Rodriguez's  Graphs  allow  for  branching. 
Attempts  to  model  branching  by  a  method  as  similar  in  structure  as  pos¬ 
sible  to  Marked  Graphs  led  to  the  definition  of  Free  Choice  Petri  Nets. 

The  works  of  Karp  and  Miller  [13],  Muller  and  Bartky  [14],  Baer,  Bovet, 
and  Estrin  [1  ],  Slutz  [21]  were  in  different  degrees  relevant  to  research 
in  the  early  stages  of  this  thesis.  In  particular,  Muller's  concept  of 
semimodularity  is  related  to  the  behavior  of  safe  Petri  Nets,  and  the  al¬ 
gorithms  of  Baer,  Bovet  and  Estrin  are  of  interest  insofar  as  their 
"directed  acyclic  bilogic  graphs"  are  structurally  the  same  as  acyclic 
Free  Choice  Petri  Nets. 

Among  the  references  listed  in  this  thesis  are  several  other  publi¬ 
cations  about  Petri  Nets.  These  include  several  applications  of  Petri 
Nets,  notably  Saint  and  Shapiro  for  representing  algorithms  [20],  and 
Dennis  for  representing  control  structures  in  digital  computers  [  6  ] - 


[  reformation 
<>£  Petri. 
L062  [18]  and 


PARtL’  ONE  i 


Description  of  Petri  Nets  and  Production  Schemata 

I 


\ 
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CHAPTER  1 
Petri  Nets 


Preceding  page  blank 


1.1  Definition 


'  A  Petri-Net  is  a  directed  bichromatic  graph  with  an  initial  marking. 
The  two  distinguished  types  of  vertices  are  called  places  and 

;  A'  is  a  function  which  associates  with  each 

place  in  the  Petri  Net  a  non-negative  integer,  called  the  token 
load  of  that  place,  or  the  number  of  tokens  in  it. 

»  i 

•  A j simulation  of  a  Petri  Net  is  a, sequence  of  firings  of  transitions, 

°”ly  transiti:ons  may  firp  at  any  time,  and  a  transition  is 

‘rable  if  and  only  If  all  its  immediate  antecedent  places  (input 
£iaces)  have  a  posit|ve,  non-zero,  load  in  the  present  marking. 

(A  place  with  one  or  more  token j  is  marked,  a  place  with  no  tokens 
is  blank.)  The  firing  of  a  transition  changes  the  mark-in.  by 
decrementing  the  load  of  each  input  place  by  one  and  by  incrementing 
the  load  of  each  immediate  successor  place  (output  by  one. 

•  A  Marking  M'  is  said  to  be  reachable  from  marking  M  if  there  exists 
a  firing  sequence  which  transforms  marking  M  into  M\  The  marking 

class  of  a  Petri  Net  is  the  set  of  all  markings  reachable  from  the 
initial  marking. 

Graphically,  we  represent  £laces  by  circles  and  transitions  by  bars. 
Dots  in  places  represent  the  tokens  of  the  marking. 


Example : 


before  the  firing  of 
transition  t. 


after  the  firing  of 
transition  t. 
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1.2  Liveness  and  Safeness 

The  most  important  properties  of  Petri  Nets  are  liveness  and 
safeness . 

A  transition  t  is  live  at  marking  M  if,  for  every  marking  M'  that 
can  be  reached  from  M,  there  exists  a  firing  sequence  which  fires  t. 

Example : 


In  this  example,  t^  and  t ^  are  live,  but  t^  is  not  live,  because  if  we 
fire  t3  we  reach  a  marking  with  only  one  token,  and  no  firing  sequence 
can  possibly  get  two  tokens  back  on  the  net,  hence  t^  cannot  be  fired 
again. 

If  every  transition  in  a  Petri  Net  is  live,  the  Petri  Net  is  live. 
An  example  of  a  live  net  is: 

— O - *h 

4  is  live  because  it  can  fire  at  any  time:  it  has  no  blank  input  place. 
t2  is  live  because,  for  any  marking,  t^  is  a  firing  sequence. 
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A  place  p  is  safe  at  marking  M  if  every  marking  M'  that  can  be 
reached  from  M  has  at  most  one  token  on  p. 


Pj^  and  p2  are  safe;  p3  is  not. 

A  Petri  Net  is  safe  if  every  place  in  the  net  is  safe. 

A  Petri  Net  is  said  to  be  live  and  safe,  or  LS,if  it  is  both  live  and 

safe  at  the  initial  marking. 

In  a  safe  Petri  Net,  a  place  is  either  blank  or  has  one  token.  We 
can  say  that  a  place  represents  some  condition  which  either  holds  or 
doesn't.  A  firing  of  a  transition  then  terminates  the  holding  of  those 

conditions  that  enabled  the  transition,  and  begins  the  holding  of  other 

conditions:  In  this  context,  we  say  that  an  event,  represented  by  the 
transition,  occurred. 

1.3  Syntactical  Subclasses 

The  structure  of  Petri  Nets  in  full  generality,  as  defined  above,  is 
very  rich,  and  it  appears  difficult  to  fully  understand  the  relationships 
between  the  structure  of  the  net  (properties  such  as  strongly  connected, 
for  example)  and  the  behavior  of  the  net  (liveness  or  safeness,  for  ex¬ 
ample).  Hence  we  approach  the  problem  by  analyzing  first  certain  re¬ 
stricted  subclasses  of  Petri  nets. 
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Definitions 

Presently  we  distinguish  the  following  subclasses: 

-  State  Machines  (SM) 

-  Marked  Graphs  (MG) 

-  Free  Choice  Petri  Nets  (FC) 

-  Simple  Petri  Nets  (SN) 

-  Petri  Nets  (PN) 

We  say  syntactical  subclasses  because  of  the  fact  that  whether  a 
given  Petri  Net  belongs  to  a  subclass  or  not  is  decided  by  the 
local  structural  configuration  of  the  Net.  In  short,  we  have: 


^  proper  subclasses 
/ 


local  configuration 


yes 

no 

n  ^ 

SM:  every  transition  has 

exactly  one  input 

place  and  exactly 

one  output  place. 

s> 

HK 

MG:  every  place  has  ex- 

actly  one  input 

transition  and  ex¬ 
actly  one  output 

transition. 

-< 

^o— 

FC:  every  arc  from  a  place 

is  either  unique  out¬ 
put  of  a  place  or  uni¬ 
que  input  to  a  transi¬ 
tion. 

P| 

M 
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It  can  be  seen  that  State  Machines  have  the  same  structure  as  the 
familiar  Finite  State  Automata  or  Sequential  Machines,  but  uninter¬ 
preted  in  the  sense  that  we  do  not  associate  input  or  output  symbols 
to  the  transitions  (state-transitions  in  Automata  Theory  language).  A 
token  in  a  place  corresponds  to  the  Sequential  Machine  being  in  the 
corresponding  state,  assuming  there  is  only  one  token  in  the  net. 

1«4  Mathematical  Properties:  A  first  approach  to  the  basic  concepts 

1.4.1  Overview 

The  mathematical  properties  of  Petri  Nets  we  are  most  interested  in 
are  the  relations  between  liveness  and  safeness  of  the  Net,  or 
parts  of  it,  and  structural  properties  such  as  connectedness .  cov¬ 
ered  by  State  Machines,  decomposable  into  Marked  Graphs. 

Holt  and  Commoner  have  extensively  studied  the  mathematics  of 
State  Machines  and  Marked  Graphs  [5,  12]. 

We  shall  focus  our  attention  on  Free  Choice  Nets.  The  most 
important  result  is  a  Theorem  that  states  necessary  and  sufficient 
conditions  for  the  existence  of  a  live  and  safe  marking  in  a  Free 
Choice  Petri  Net. 

To  date.  Free  Choice  Petri  Nets  are  the  largest  class  of 
Petri  Nets  for  which  such  necessary  and  sufficient  conditions  are 
known. 

1.4.2  Liveness  and  Safeness  in  Free  Choice  Petri  Nets 

Important  preliminary  contributions  to  this  topic  are  due  to 
Fred  Commoner,  and  include  the  definition  of  Traps  and  Deadlocks, 
as  well  as  a  Necessary  and  Sufficient  Condition  for  Liveness  of 
Free  Choice  Petri  Nets. 
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.  A  Deadlock  is  a  set  of  places  in  a  Petri  Net  such  that  every 
transition  which  puts  a  token  on  some  place  in  the  set  re¬ 
quires  at  least  one  token  from  some  place  in  the  set.  This 
implies  that  if  a  deadlock  is  blank  (i.e.  contains  no  tokens), 
it  will  remain  blank  for  every  possible  firing  sequence.  This 
is  intuitively  bad  for  liveness,  since  every  transition  having 
an  input  place  in  a  blank  deadlock  will  have  no  chance  of  firing. 


Example : 


The  bold  face  places 
form  a  deadlock. 


Note  that  a  deadlock  in  the  Petri  Net  sense  is  a  deadlock  in 
the  usual  sense  only  if  it  is  blank;  potential  deadlock  might 
be  a  better  name  for  the  deadlocks  defined  above. 

.  A  Trap  is  a  set  of  places  such  that  every  transition  which  takes 
a  token  from  the  set  puts  at  least  one  token  back  into  the  set. 
Hence  once  a  Trap  is  marked,  i.e.  contains  at  least  one  token, 
it  will  always  be  marked,  no  matter  what  firing  sequences  take 
place . 

Note  that  if  a  Deadlock  contains  a  marked  Trap,  it  will  never 
become  blank,  and  the  threat  to  liveness  described  before  does 
not  exist:  This  is  the  "good"  situation. 
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Example  of  a  Trap  (bold  face) 


Traps  and  Deadlocks  are  not  exclusive:  For  example, 

every  strongly  connected  Petri  Net  is  both  a  Trap  and  a  Deadlock. 

Commoner  has  proved  that  a  Free  Choice  Petri  Net  is  live  if  anc* 
only  if  every  Deadlock  contains  a  marked  Trap  [  4  j . 

.  Consistent  Subnets:  Open  and  Closed 

A  Subnet  of  a  Petri  Net  is  defined  like  a  subgraph  in  Graph 
Theory  [  2],  i.e.  as  a  subset  of  vertices  (places  and/or  tran¬ 
sitions)  and  the  arc  relation  restricted  to  the  vertices  of  the 
subset. 

Traps  and  Deadlocks  are  --  strictly  speaking  —  subnets  by  them¬ 
selves,  but  such  a  collection  of  places  without  the  transitions 
that  are  connected  to  them  is  not  very  meaningful  by  itself. 

Thus  we  introduce  the  concept  of  a  Consistent _ Subnet: . 

.  A  Consistent  Subnet  of  a  given  Petri  Net  is 

either:  a  subnet  consisting  of  a  set  of  Eiaces  and  all  transi¬ 
tions  pointing  to  or  from  these  places,  called  a 
Closed  Consistent  Subnet. 

or:  a  subnet  consisting  of  a  set  of  transitions  and  all 

places  pointing  to  or  from  these  transitions,  called 
an  Open  Consistent  Subnet. 
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The  distinction  between  Closed  and  Open  comes  from  the  fact  that 
one  type  is  connected  to  the  rest  of  the  net  by  sharing  certain 
transitions,  and  the  other  by  sharing  certain  places.  We  assume 
a  place  is  more  "open"  than  a  transition  hence  an  Open  subnet 
has  an  "open"  boundary  of  places,  and  a  Closed  subnet  has  a 
"closed"  boundary  of  transitions. 

Deadlocks  and  Traps  can  be  conveniently  viewed  as  Closed  Consis¬ 
tent  Subgraphs,  because  they  are  defined  as  a  set  of  places.  We 
shall  henceforth  take  this  point  of  view. 

The  union  of  Consistent  Subnets  is  defined  in  the  obvious  way, 
so  is  the  Covering  of  a  Petri  Net  by  a  set  of  Consistent  Subnets. 
Unless  the  Petri  Net  is  very  peculiar  (having  transitions  without 
any  input  nor  output  places  for  example),  if  the  union  of  the 
places  of  Closed  Subnets  is  the  set  of  all  places  of  the  Petri 
Net,  the  union  of  the  Subnets  is  the  whole  Petri  Net.  In  this 
sense  we  can  speak  of  a  Petri  Net  being  covered  by  State  Machines 
or  by  Marked  Graphs. 

a  minimal  Deadlock  be  a  Deadlock  that  does  not  properly  con¬ 
tain  any  non-empty  deadlock. 

We  shall  prove  that  a  Free  Choice  Petri  Net  has  a  live  and  safe 
marking  if  and  only  if  it  is  covered  by  strongly  connected  State 
Machines  and  every  minimal  Deadlock  is  a  strongly  connected 


State  Machine . 
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CHAPTER  2 

Production  Schemata 

2.1  Flow  of  Control  and  Flow  of  Objects 

In  the  introduction  we  described  Systems  in  very  general  terms. 

We  spoke  of  operations  and  dependencies  of  events  on  each  other.  One 
way  to  describe  dependencies  dynamically  is  to  speak  in  terms  of  flow. 

We  may,  in  general,  speak  of  two  sorts  of  flow:  flow  of  control  and 
flow  of  objects. 

Flow  of  control  often  has  a  very  complex  structure  because  it 
describes  situations  such  as  gathering  information  in  different  parts  of 
the  system  and  directing  one  course  of  action  instead  of  another.  To 

model  flow  of  control  by  Petri  Nets,  we  need  at  least  the  structural  com¬ 
plexity  of  Simple  Nets. 

Flow  of  objects,  on  the  other  hand,  can  be  represented  and  analyzed 
by  Free  Choice  Nets.  We  describe  flow  of  objects  in  a  System  by  Produc¬ 
tion  Schemata. 


^  Definition  of  Production  Schemata:  Conjunctive  Elements 


A  Production  Schema  is  a  model  for  representing  the  flow  of  objects 
m  a  System.  It  describes  operations  on  objects,  and  branching  or 
merging  of  flow. 


An  assembly  operation  takes  as  inputs  all  the  parts  needed  to  as 


semble  an  object:  The  operation  takes  place  only  when  all  inputs  have 
arrived;  there  is  one  path  of  flow  per  object. 


before  assembly 


after  assembly 
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We  also  have  a  disassembly  operation: 


before  disassembly  aftnr  disassembly 

In  a  more  general  sense,  we  have  operations  with  several  inputs  and 
several  outputs  : 


before 


after 


These  operations  are  described  by  conjunctive  nodes  because  input 
flow  and  output  flow  are  conjunctive:  a  11  input  objects  are  needed  to 
initiate  the  operation,  and  all  output  objects  are  produced  each  time 
the  operation  terminates. 

Before  we  present  more  elements  of  Production  Schemata,  we  shall 
emphasize  two  points:  Timing ,  and  accumulation  of  several  objects  in 
one  place  (input  arc  to  an  operation,  for  example). 
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Timing,  in  the  usual  sense  of  a  description  of  the  upper  and  lower 
bounds  of  delays,  is  a  "bad  word"  in  our  context.  We  wish  to  represent 
all  constraints  structurally  in  our  model.  This  means  that  if  a  certain 
system  contains  timing  constraints,  these  will  show  up  as  structural  con¬ 
straints  in  the  model  which  is  itself  strictly  asynchronous.  This  is 
possible  because  we  can  model  the  flow  of  metered  time  by  a  "clock,"  a 
certain  event  which  happens,  by  definition,  every  t  seconds.  The  struc¬ 
ture  of  the  model  is  then  such  that  if  a  certain  event  must  (by  specifi¬ 
cation)  occur  between,  say,  the  ath  tick  (since  sometime  origin)  and  the 
bth  tick,  that  event  depends  (structurally)  on  the  a  tick,  but  the  b 
tick  depends  on  it.  This  way  we  can  model  situations  like:  "If  item  A 

has  not  been  used  after  four  hours,  discard  it. 

Had  we  chosen  a  synchronous  model,  with  metered  time,  it  would  be 
very  difficult  indeed  to  represent  asynchronous  systems,  and  the  cause 
and  effect  relationship  among  events.  Moreover,  it  seems  that  even  in 
the  case  of  synchronous  systems,  we  gain  more  insight  into  the  system  by 
explicitly  representing  all  constraints  on  the  events  in  the  system  in  an 

asynchronous  model. 

Now  consider  the  following  situation: 


Operation  C  gets  its  inputs  from  A  and  B.  One  object,  a,  has  arrived 
from  A,  and  G  is  now  waiting  for  an  object  from  B  to  proceed.  But  before 
this  happens,  A  produces  another  object,  o?  • 
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Now,  should  C  use  0/  and  p,  or  cv 1  and  p  ?  If  q'  and  a1  were  undistinguish- 
able  it  would  not  matter,  but  we  intend  to  keep  our  model  as  general  and 
uninterpreted  as  possible  and  must  assume  that  all  objects  are  distin¬ 
guishable  (cf  "free  interpretation"  in  program  schemata  [15]).  We  could 
require  the  link  to  preserve  order  (and  hence  mate  p  to  a),  but  this  can 
be  modeled  independently  by  a  pipeline,  which  we  shall  introduce  below. 

We  therefore  let  this  situation  be  undesirable,  i.e.  express  a  malfunction 
of  the  system,  and  shall  analyze  it  as  such.  It  reminds  us  of  course  of 
unsafeness  in  Petri  Nets,  and,  in  most  systems,  can  be  thought  of  as  a 
malfunction  leading  to  unpredictability  and  non-determinacy . 

To  represent  a  system  where  one  part  may  produce  at  times  more  ob¬ 
jects  than  are  consumed  by  another,  we  need  a  buffer,  or  pipeline,  and 
usually  the  capacity  is  specified;  in  particular  we  do  not  expect  infin¬ 
ite  queues.  Then,  a  pipeline  that  can  hold  up  to,  say,  4  items  and  de¬ 
liver  them  in  order,  can  be  represented* by  the  following  arrangement, 
which  works  like  a  bucket  brigade: 
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* 


ft 


We  have  4  cells.  Each  cell  either  contains  an  object  on  the  top  link, 
or  a  message  on  the  bottom  link.  The  message  says  actually  two  things, 
depending  on  the  point  of  view:  "Ready  to  receive  another  object,"  and 
"Previous  object  has  just  been  delivered."  These  messages  constitute 
what  Holt  calls  "backflow"  in  Marked  Graph  models  for  Production  Facili¬ 
ties  [12].  It  is  of  course  debatable  whether  we  should  consider  this 
flow  of  messages  as  flow  of  objects  rather  than  flow  of  control;  but  in 
some  systems  all  objects  might  effectively  be  messages,  and,  more  im¬ 
portantly,  we  may  consider  a  warehouse  as  an  operation  taking  as  input 
an  order  form,  and  giving  the  requested  object  as  output.  This  approach 
obviates  the  need  for  special  input  or  output  nodes:  An  input  node  is  an 
operation  which  produces  an  object  upon  receiving  a  request,  and  an  out¬ 
put  node  is  an  operation  which  produces  a  receipt,  or  acknowledgemen t , 
upon  delivering  to  the  "outside  world"  an  object  received  as  input.  The 
important  fact,  is  that  such  messages  are  treated  in  a  strictly  local  man- 
ner,  just  like  other  objects,  and  only  the  producing  and  receiving  op¬ 
erations  are  "aware"  of  its  existence,  as  opposed  to  control  information 
described  in  2.1. 

So  far,  we  have  described  exactly  the  same  class  of  Systems  as  have 
been  represented  by  Marked  Graphs  in  "Events  and  Conditions,"  by  Holt  and 
Commoner  [12].  We  present  next  those  elements  which  introduce  decisions, 
switches,  and  permit  the  representation  of  a  larger  class  of  Systems. 

2.3  Definition  of  Production  Schemata:  Disjunctive  Elements 

If  we  want  to  represent  a  situation  where  an  object  produced  by  A 
flows  either  to  B  or  to  C,  depending  on  circumstances  (nature  of  the  ob¬ 
ject,  for  instance),  we  need  a  new  element  whose  outputs  are  dis iunctive : 
It  acts  as  a  switch: 


before 


after 


Also,  if  a  certain  operation  gets  its  inputs  from  exactly  one  of 
several  possible  sources,  we  need  an  element  with  disjunctive  input, 
sort  of  a  reverse  switch,  or  collector : 


before 


after 
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Of  course,  nothing  a  priori  forbids  us  to  consider  a  more  general  form 
of  a  switch: 


These  elements  differ  from  operation  elements  by  the  fact  that: 

-  they  have  disjunctive  i‘npiit  and  output, 

-  there  is  only  one  object  flowing  through  at  a  time, 

-  the  object  flows  through  unchanged. 

In  particular,  this  means  that  the  following  transformation  cannot  take 
place  in  one  step. 


phase  1 


step  1 
(incorrect) 


phase  2 
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Ins  tead,  it  involves 


two  steps,  which  can  occur  in  either  order: 


phase  1 


step  2 


phase  2 


phase  3 


But  we  could  also  have  the  following: 
we  must  consider  this  along  with  all 


(and  in  the  free  interpretation 
other  possibilities). 


Is  leads  to  a  situation  „e  those  to  consider  a  malfunction,  possibly 
eading  to  non-deteminacy.  One  of  the  objectives  of  this  thesis  is  to 
guarantee  structures  such  that  if  a  collector  element  receives  an  object 
on  one  rnput,  „„  object  can  possibly  show  up  on  any  other  input  until 

coUe  "r  HaS  b“n  d6liVered  “  ^  neXt  eUlMnt  £oll°»^ 


We  shall  conclude  this  section  by  giving  an  example 
leading  to  deadlock,  a  structure  leading  to  unsafeness, 
a  structure  without  malfunctions. 


of  a  structure 
and  an  example  of 
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Example  1:  TVo  paths,  originating 
conjunctively  and  joining  dis¬ 
junctively,  create  possible  un¬ 
safeness  at  the  input  to  B. 


r  r 


Example  2 :  TVo  paths,  originating 
disjunctively  and  joining  conjunc¬ 
tively  can  lead  to  hang -up  on  A: 

If  all  objects  are  switched  down 
the  left  path,  the  right  input 
will  never  get  an  object,  and  A 
cannot  operate. 


Example  of  a  Well-Formed  Production  Schema. 
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2.4  p-pr^enting  Production  Schemata  by_Petri_Nets 

At  this  point,  the  reader  has  certainly  noticed  the  similarity  be¬ 
tween  objects  and  tokens,  operations  and  transitions,  Unks  etwgen 

eiements^and" one-1  npn t-one-output  pl^.  and  - 

arc  Places.  The  correspondence  is  straight  orwar 


Production  Schema 


Petri  Net 


Production  Schema 


Petri  Net 


We  note  that,  in  Production  Schemata,  objects  (tokens)  are  on  the 
links,  but  in  the  Petri  Net,  tokens  are  always  on  places.  This  is  es¬ 
pecially  illustrated  in  example  d).  There  are  two  Petri  Net  firings  as 
sociated  with  the  switch  (or  collector)  element,  and  there  seems  to  be 
an  intermediate  step  where  the  object  is  "inside"  the  switch.  This  is 
perfectly  acceptable,  and  the  switch  or  collector  element  could  well 
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have  been  defined  that  way.  We  could  also  model  an  operation  as  fol¬ 
lows,  if  we  wish: 


Semantically,  this  is  even  quite  attractive,  but  it  does  not  in  any  way 
change  the  structure  of  dependencies  that  we  wish  to  analyze. 


On  occasion,  we  might  wish  to  contract  the  representation  of  the 
switch  or  collector  element:  — 


B 
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We  could  even  go  one  step  further,  though  it  may  be  questionable  on 
semantic  grounds: 


But  in  no  case  can  we  suppress  the  ’’auxiliary"  transition  «*  and  place  p, 
because  this  would  make  the  structure  essentially  different.  As  long  as 
o?  and  p  are  there,  a  token  can  be  switched  towards  D  and,  after  that, 
will  have  to  wait  for  D  to  receive  its  other  input,  and  fire.  If,  how¬ 
ever,  we  remove  a  and  p,  the  token  could  at  any  time  be  "stolen"  or 
leaked  away  towards  C;  the  switching  decision  would  not  be  necessarily 
final  as  in  the  original  net.  This  distinction  is  fundamental  to  the 
concept  of  Free  Choice  Petri  Nets: 

Every  Production  Schema  can  be  represented  by  a  Free  Choice 

Petri  Net. 


Conversely,  every  Free  Choice  Petri  Net  represents  a  Production 
Schema,  if  we  allow  contractions  as  discussed  above. 
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The  desirable  properties  for  a  Production  Schema  are : 

-  determinacv.  predictability 

-  no  hang-up  states  under  any  conditions  of  operation. 

The  first  property  has  been  associated  with  unsafenes s  in  Petri  Nets  by 
definition  of  our  formalism,  the  second  property  is  clearly  related  to 
liveness  in  the  representing  Petri  Net.  We  therefore  define: 

A  Well-Formed  Production  Schema  is  a  Production  Schema  rep¬ 
resented  by  a  Live  and  Safe  Free  Choice  Petri  Net. 
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PART  TWO 


Mathematical  Analysis  of  Free  Choice  Petri  Nets 
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CHAPTER  3 

Formal  Definitions  and  Notation 

This  chapter  provides  the  formalism  for  the  concepts  introduced  in 
Chapter  1. 

A  Petri  Net  is  a  triple  (II,  £,  where 
is  a  non-empty  set  of  places 
is  a  non-empty  set  of  transitions 
is  a  relation;  it  corresponds  to  the  arcs  in  the 
directed  bichromatic  graph;  the  set  of  vertices  isIIUE* 
We  have:  •  c  (II  x  E)  U  fe  X  II) 

Notation :  (x,  y^  €  *  is  written  as  x*y 

(y | x *y }  is  written  as  x* 

(y|yx)  is  written  as  ’x 

We  also  apply  the  dot  notation  to  designate  the  successor 
set  of  a  set  of  places  or  transitions. 

Example:  Pen  P*  =  {x|3y  €  P  and  y*x) 

Def .  A  Marking  is  a  function  M  :  n  -*  IN  (non-negative  integers) 

Def .  A  Firing  is  a  partial  function  from  markings  to  markings. 

There  is  a  firing  associated  with  every  transition  t  £  £; 
t  is  said  to  be  firable  if  its  firing  function  is  defined 
at  the  given  marking  M  of  the  net,  and  the  firing  yields 
marking  M' .  We  write  this:  Mlt^M' .  The  firing  associated 
with  t  (  S  is  such  that: 

Vp  €  *t  -  t*  M'(p)  =  M(p)  -  l') 

Vp  €  t*  -  ‘t  M'(p)  =  M(p)  l-  1  7  defined  only  if: 

VP  €  *t  n  f  M'(p)  =  M(p)  \  VP  €  *  t  M(p)  >  0 
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Def.  A  firing  sequence  a  is  a  string  over  transition  names  and, 
as  a  function  over  markings,  the  composition  of  the  firings 
of  the  transitions  in  the  order  they  appear  in  the  string. 

We  shall  say  t  £  a  if  t  is  fired  at  least  once  in  a.  We 
say  that  M  leads  to  M'  via  a,  and  write  or 

M'  =  Mfc>  if  a,  as  a  partial  function,  is  defined  for  M. 

The  set  of  firing  sequences  is  denoted  by  £*. 

■4 

Def .  The  forward  Marking  Class  M  of  a  marking  M  is  the  set  of 

markings  which  can  be  reached  from  M  via  some  firing  sequence 

M  =  (M'  I  3a  €  E*  and  M[a>M' } 

The  concepts  of  liveness  and  safeness  are  defined  as  follows  for  Petri 
Nets  : 

Def.  A  transition  t  is  live  in  a  given  marking  if  and  only  if  for 
every  marking  in  the  marking  class  there  exists  a  firing  se¬ 
quence  which  fires  that  transition. 

t€E  live  at  M  «  (VM1  €  M)  (3a  €£*)  such  that : 

M' [a^  exists  (i.e.  a,  as  a  function,  is 
defined  at  M1)  and  t  €  a. 

Def.  A  marking  is  live  if  and  only  if  every  transition  is  live  at 
that  marking. 

Def.  A  place  p  is  safe  if  and  only  if  for  every  marking  in  the 
given  marking  class  the  load  on  p  is  not  greater  than  one. 

p  €  II  safe  at  M  «  YM'  €  M  M1  (p)  £  1 

Def.  A  marking  is  safe  if  and  only  if  every  place  is  safe  at  that 
marking . 

Corollary :  If  a  transition  is  live  at  marking  M,  it  is  live  at  any 

M*  €  M.  Il:  a  place  is  safe  at  marking  M,  it  is  safe  at  any 
M'  €  M. 
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Def.  A  subnet  of  a  Petri  Net  <11,  E,  •>  is  a  Petri  Net 
<n',  E1,  such  that:  II *  c  II 

E'  c  E 

(o  is  the  restriction  of*)  o  =  •n(Il,xE,UE,X^,) 

Short  notation  for  a  Petri  Net  <11,  E,  :  <n,  E^ 

This  can  be  used  whenever  •  is  clear  from  context.  Thus,  if  we 
say  that  <II',  E'>  is  a  subnet  of  <11,  E>,  it  is  understood  that  the 
arc  relation  for  <n',  E*^  is  the  restriction  of  the  relation  for 
<n,  E>to  the  set  of  vertices  II 1  U  E'. 


expressed  as:  p  •  t^  t^  •  p^ 

p  •  t0  etc. 

o  2 

also:  p’  =  [t|p  •  t}  p  €  II,  t  €  E 

*p  =  { 1 1 1  •  p} 
t'  =  {p|t  •  p) 

if  P  C  II,  then  P*  =  {tja  p  €  P  and  p  •  t} 

Hence,  in  example  above:  P^  =  (t^,  t2 } 

{ t i , t 2 )  =  (p^>  P£»  P3 ) 
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3.2  Formal  Definition  of  the  Subclasses 

Definition :  A  State  Machine  (SM)  is  a  Petri  Net  (n,  E>  •> 
such  that:  Vt  £  E  |‘t|  =  j t * |  =1. 

( | A | ,  where  A  is  a, set,  is  the  cardinality  of  the 
set  A).  In  other  words,  each  transition  has  exactly 
one  input  place  and  one  output  place,  (cf  Chapter  1) 


Definition :  A  Marked  Graph  (MG)  is  a  Petri  Net  (II,  E, 
such  that:  Vp  €  II s  |‘p|  =  |p'|  =  1 

Definition :  A  Free  Choice  Petri  Net  (FC)  is  a  Petri  Net  (n,  £,  •> 
such  that :  (Vp  €n)(Vt£E):  p.t=»p*=(t)  or  ‘  t  =  (p), 
i.e.  an  arc  from  a  place  £  to  a  transition  £  either  is 
the  unique  output  arc  of  £  or  the  unique  input  arc  to 
t. 


3.3  Traps  and  Deadlocks 

In  a  Petri  Net  (II,  E>> 

Definition:  A  Trap  is  a  subset  of  places  T  c  II  such  that  T‘  c  'T, 
i.e.  every  transition  having  an  input  place  in  T  must 
have  an  output  place  in  T. 

Definition:  In  a  Petri  Net  <n,  E>  a  Dead lock  is  a  subset  of  places 
DCH  such  that  'D  c  D" ,  i.e.  every  transition  having 
an  output  place  in  D  must  have  an  input  place  in  D. 

In  a  strongly  connected  Petri  Net  (II,  E>,  it  is  clear  that  we  have 

‘II  =  II*  =  E>  hence  it  is  both  a  trap  and  a  deadlock. 

Terminology :  a  set  of  places  P  c  n  in  a  Petri  Net  (II,  E^  with 
marking  M  is  said  to  be 

blank,  if  no  place  contains  a  token:  Vp£P:  M(p)  =  0 
-  marked,  if  some  place  contains  a  token:  3p  £  P:  M(p)  £  1 


empty,  if  it  is  the  empty  set:  P  =  0 
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CHA.PTER  4 

Necessary  and  Sufficient  Conditions  for  Ltveness  and 
Safeness  in  Free  Choice  Petri  Nets 


4.1  Commoner^  Liveness  Theorem 

Commoner  solved  the  problem  of  deciding  whether  a  given  marking  in 
a  Free  Choice  Petri  Net  is  live  by  proving  that  a  necessary  and  suffi¬ 
cient  condition  for  liveness  is  that  every  deadlock  contain  a  marked 
trap.  The  proof  we  give  here  follows  very  closely  the  original  proof 
of  the  theorem. 

4*1.1  Sufficiency  Condition 

First,  we  prove  the  sufficiency  condition,  namely  that  if  every 
deadlock  contains  a  marked  trap,  then  the  marking  is  live.  Lemma  1 
establishes  the  influence  of  blank  deadlocks  on  possible  firings,  and 
can  be  regarded  as  a  mere  technical  preliminary  to  Lemma  2.  Lemma  2  is 
phrased  in  a  way  as  to  directly  lead  to  a  proof  by  induction  on  the  size 
of  a  subset  of  transitions.  If  the  subset  includes  all  transitions. 
Lemma  1  is  applicable  and  provides  the  basis  for  the  inductive  proof. 

If  the  subset  contains  only  one  transition,  the  lemma  expresses  a  suf¬ 
ficient  liveness  condition  for  that  transition.  Theorem  1,  the  suffi¬ 
ciency  condition  for  liveness  in  Free  Choice  nets,  follows  immediately 
from  Lemma  2. 

Lemma_l:  In  a  Petri  Net  <n,  E>,  let  M°  c  n  be  the  set  of  blank  places,, 
and  M  s  n  be  the  set  of  marked  places  (II  =  M°  U  M+). 

Let  W  £  Z  be  a  subset  of  transitions. 

Then  (WflM)  £  W  a  either:  some  t  firable  in  W 

(i.e.  at  €  W:  .  *t  c  M+) 

or •  3  blank  deadlock  D:  W  c  D’ 
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Proof:  Assume  no  t  firable  in  W:  -i(3t  €  W  and  't  £  M"*  ) 

i.e:  Vt (t  g  W  or  ' t  £  M+) 
then  we  get  ft:  t  6  W  =»  't  H  M°  £  0 

Vt:  t  €  W  =>  t  €  (*t  0  M0)’ 
hence  W  £  ('W  n  M°)* 

But  ‘(‘W  n  ^°)  :«  by  hypothesis:  (*W  fl  is  a 

blank  deadlock. 

Example : 


W  =  C t2 ,  t3,  t4} 

TW  n  M°)  =  ft3,  t4J 
blank  deadlock:  {p3>  p^} 


Lemma  2:  In  a  Free  Choice  Petri  Net  (H,  E)>  with  marking  M,  let  W  £  S 
be  a  subset  of  transitions  such  that  no  firing  sequence  fires 
any  transition  in  W.  Then  there  exists  a  marking  M'  reach¬ 
able  from  M  such  that  there  is  a  blank  deadlock  D  £  M'°  and 
W  £  D'. 
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Proof:  By  induction  on  the  size  of  (£  -  W). 

Basis:  |£  -  w]  =  0 

Then  W  =  £.  Since  £  is  the  set  of  all  transitions  in  the  net, 
'(’W  fl  M  )  £  M  is  trivially  true.  Therefore  Lemma  1  applies 
directly  to  show  that,  if  no  transition  can  be  fired  in  W, 
there  must  be  a  blank  deadlock  D  such  that  W  c  D* . 

Inductive  Step:  |£  -  W|  >  0 

Let  the  initial  marking  be  Mq  =  M.  We  shall  construct  a 
firing  sequence  leading  successively  to  the  markings 

^2»  •  •  . .  .M'  such  that,  at  M1,  we  have  a  blank  deadlock 

D  £  M'°  and  W  s  D\ 

a)  We  shall  show  that  no  firing  sequence  fires  any 

transition  in  ("W)’.  For  suppose  there  is  a  transition  tQ  £ W 
and  a  place  pQ  €  "ty  such  that  some  transition  t^  €  p^  can  be 
fired  by  some  firing  sequence.  Since  no  firing  sequence  fires 
by  hypothesis,  we  must  have  ^  €  p|,  -  W  • 


places 


transitions 
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But  then  pQ  has  several  output  transitions,  and  by  the  Free 
Choice  hypothesis,  if  t^  can  be  fired  tQ  can  also  be  fired, 
which  contradicts  the  hypothesis  that  no  firing  sequence 
fires  any  transition  in  W: 

•  No  firing  sequence  fires  any  transition  in  (’W)‘. 
b)  Let  the  present  marking  be  There  are  two  cases: 

Case  1:  *('W  n  M°)  c  W 


places 


transitions 


In  this  case  Lemma  1  applies.  Since,  by  hypothesis,  no  firing 
sequence  fires  in  W,  there  must  be  a  blank  deadlock 
D  =  * (*W  H  M^)  such  that  W  c  D' ,  which  proves  Lemma  2  with 
K*  = 
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Case  2;  *  (*W  D  M^)  £  W 

Then  there  exists  a  transition  t  6  '  (*W  fl  M?)  -  W: 

i 


There  are  two  subcases : 

Case  2.1:  No  firing  sequence  fires  t. 

Then,  let  W1  =  W  U  {t}.  No  firing  sequence  fires  any  transi¬ 
tion  in  W.  But  |l  -  W'  j  =  |E  -  W]  -  1:  By  the  inductive 
hypothesis,  there  must  exist  a  firing  sequence  a  leading  to 
a  marking  M'  =  M^[a)  such  that  there  is  a  blank  deadlock 
D  c  M'°  and  W1  CD’.  Then,  since  W  c  W',  we  have  proved 
Lemma  2  with  marking  M'  and  deadlock  D. 


Case  2.2:  There  exists  a  firing  sequence  a  which  fires  t. 

Let  =  Mi[a).  Since,  because  of  a),  a  does  not  fire  any 

transition  in  (’W)’,  we  have:  c  ('WflM?^).  Then, 

since  t  fires  into  'W  f|  and  a  does  not  fire  in  (*W)’,  we 
have :  | ’W  0  M°+1 \  <  J ’W  0  M° | . 

We  repeat  the  argument  at  marking  Since,  each  time  we 

have  to  apply  case  2.2,  the  size  of  (*W  fl  M?)  decreases,  we 
must  eventually  terminate  at  case  1  or  case  2.1. 


q .  e .  d . 
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From  Lemma  2  we  deduce  that  if  no  deadlock  can  ever  be  blank,  there 
must  always  be  a  firing  sequence  that  fires  any  given  transition, 

(Take  W  =  (t}).  But  if  a  deadlock  contains  a  marked  trap,  since  the 
trap  will  always  contain  at  least  one  token,  the  deadlock  cannot  be¬ 
come  blank: 

Theorem  1.  If  in  a  FC  net  every  deadlock  contains  a  marked  trap,  then 
the  net  is  live . 

(Sufficient  condition  for  liveness) 


4.1.2  Necessary  Condition. 

We  want  to  prove  that  in  a  live  FC  net,  every  deadlock  must  contain 
a  marked  trap,  i.e.  if  the  maximal  trap  in  some  deadlock  is  blank,  there 
must  exist  a  killing  sequence,  that  is,  a  firing  sequence  leading  to  a 
marking  where  some  transition  can  never  be  fired  again. 

Such  a  killing  sequence  can  be  obtained  by  making  a  certain  choice 
ahead  of  time  of  the  exit  of  multiple-output  places  :  This  selection  is 
called  an  allocation.  More  precisely,  we  shall  define  an  allocation  on 
a  set  of  places  as  a  function  which  associates  exactly  one  of  the  place's 
output  transitions  with  the  place.  An  allocation  is  circuit- free  if 
there  is  no  closed  path  through  allocated  transitions  only. 


Definition : 

•  An  allocation  A  on  a  set  of  places  S  is  a  function: 

A:  S  -»  S' 

such  that  Vp  €  S:  A(p)  (  p‘ 

•  An  allocation  A  is  circuit-free  if  there  does  not  exist  a  path 

d  .  t  .  p, .  t . p  ,  t  of  places  and  transitions  such  that: 

Ho’  o’  *1*  1*  n’  n 

A(Pi)  -  t.  p.+1  a;  p0  €  t; 


•  The  set  of  allocated  transitions  is  {t|3p  €  S  and  t  =  A(p)}, 


denoted  by  A(S) 
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.  The  set  of  excluded  transitions  is 

{t  €  S*|Vp  €  't  p  €  S  =>  t  +  A(p) } 
denoted  by  A(S) 

Note  that  A(S)  fl  A(S)  =  0 
A(S)  U  A(S)  =  S' 

Hence  A(S)  =  S’  -  A(S) 

The  objective  of  the  proof  is  to  show  that  if  some  deadlock  contains  a 
blank  trap,  we  can  construct  a  killing  sequence  that  does  not  put  a 
token  on  the  trap.  First,  we  show  the  existence  of  an  allocation  that 
prevents  the  trap  from  getting  a  token,  then  we  prove  that  this  alloca¬ 
tion  permits  us  to  kill  the  net. 

Lemma_3:  Given  a  set  of  places  Q  C  II  and  the  maximal  trap  T  in  Q,  there 
is  a  circuit-free  allocation  A:  (Q  -  T)  -♦  (Q  -  T)  of  Q  -  T 
that  does  not  allocate  into  the  trap,  i.e.: 

Yp  €  (Q  -  T)  :  A(p)  £  ‘T,  or:  A(Q-T)n*T  =  0 

The  maximal  trap  is  the  largest  trap,  or  the  union  of  all  traps,  in  Q. 

It  may  be  the  empty  trap,  i.e.  there  may  be  no  trap  in  Q. 

Proof :  By  induction  on  |Q  -  T|. 

•  if  Q  =  T,  the  empty  allocation  0  -»  0  satisfies  the  conditions 
trivially. 

•  assume  I Q  -  T 1  >  0:  3p  €  Q  -  'O 

1  °  S  t*  Cl  Q  =  0 

3to  €  ^  ) 

since  p  is  not  in  the  maximal  trap. 
ro 

Hence,  T  is  the  maximal  trap  in  Qf  =  Q  -  CpQ}  •  By  inductive 
hypothesis  there  exists  a  circuit-free  allocation  A1  of  Q1  -  T 
such  that 


A1  (Q 1  -  T)  0  *T  =  0 


Lemma  4 : 


Proof : 
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Let  A  :  (Q  -  T)  -4  (Q  -  T)'  be  the  allocation  who,3e  restric¬ 
tion  to  Q'  -  T  is  A'  ,  and  which  assigns  tQ  to  pQ : 


VP  €  Q  -  T:  p  {  pQ  =*  A(p) 

P  =  PQ  =»  A(p) 

A(Q  -  T) 

=  A'  (Q '  -  T)  U  ftQ} 

Since 

A'(Q'  -  T)  n  *T  =  0 

and 

t  •  n  q  =  0  =>  to  <e  “ 

we  have 

A(Q  -  T)  n  *T  =  0 

A  does  not  allocate  into  T  .  Now  suppose  A  is  not  circuit- 

free.  Then,  since  A'  is  circuit-free,  any  circuit  of  A  must 

contain  the  arc  p  *  t  But  t‘  H  Q  =  0  :  ♦‘’.a  arc  p  •  t 

oo  o  oo 

is  not  part  of  any  circuit  in  Q  ,  hence  in  Q  -  T  . 

Allocation  A  satisfies  the  conditions  of  Lemma  3. 

q  •  e  •  d . 


If  the  maximal  trap  T  in  any  deadlock  D  of  a  Free  Choice  net 
is  blank,  there  exists  a  firing  sequence  which  leads  to  a 
marking  where  no  transition  of  D'  is  live. 

Let  A  :  (D  -  T)  -»  (D  -  T)’  be  a  circuit-free  allocation  of 
D  -  T  such  that  A(D  -  T)  (1  *T  =  0  .  Such  an  allocation  exists 
by  Lemma  3 . 

Let  us  call  a  firing  sequence  that  does  not  fire  any  ex¬ 
cluded  transitions  an  A-sequence : 

a  is  an  A-sequence  o  Vt  €  a 


t  £  A(D  -  T) 
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Then:  -  no  A-sequence  puts  tokens  on  T:  T  remains  blank 
(A  does  not  allocate  into  T  and  D  is  deadlock), 
no  A-sequence  fires  in  (D  -  T)’  -  A(D  -  T) 
[excluded  transitions  A(D  -  T)  ] 

-  no  A-sequence  fires  in  T*  since  T  remains  blank. 


hence :  no  A-sequence  fires  in  T‘  U  [(D  -  T)'  -  A(D  -  T)]  . 

Let  B  be  a  set  of  places  in  D-T:  BcD-T. 

claim:  The  only  firings  in  an  A-sequence  that  put  tokens  on 

B  are  those  that  fire  in  A(D  -  T)  : 


For  B  to  receive  a  token,  the  sequence  must  fire  in 
* B  .  But  Bed  and  *D  E  D‘  ,  hence  ‘B  E  D' .  Since  Ted 

we  have  :  D*  =  (D  -  T)*  U  T"  . 

Hence  ’B  c  T*  U  (D  -  T)* 

But  an  A-sequence  does  not  fire  in  T‘  (J  ((D  "  T) *  -  A  (D  -  T) )  , 
hence  any  firing  of  an  A-sequence  in  ‘B  must  be  in  A(D  -  T) 
Now  let  Bo  =  {p  €  D  -  T| 2t  p *  €  D-T:  p  €  (A(p'))*}, 

i.e.  B  is  the  set  of  "heads"  of  the  circuit-free  allocation, 
o 

Since  ’Bq  fl  A(D  -  T)  =  0  by  construction,  no  A-sequence  puts 

tokens  on  B  ,  hence  there  is  a  bound  on  the  number  of  times 
o  ’ 

any  A-sequence  can  fire  in  B^  . 

Now  let  Bi+1  =  {p  €  D-  T\£  p'  €  (D  -  T)  -  B.  :  p  €  (ACp’))’) 


Assume 

t  €  *Bi+1  0  A(D  -  T) 

Then,  we  have: 

3P  €  Bi+1  :  p  €  t' 

ap'  €  D  -  T  :  t  =  A  (p ' ) 


This  implies 


P  €  (A  (p ' ) ) ' 
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Hen  ce  ,  by  the  definition  of 

p'  t  (D  -  T)  -  B. 

This  implies  that  every  such  t  must  be  in  B^. 

Hence:  *Bi+1  D  A(D  -  T)  s  A(Bi) 

We  know  that  any  A-sequence  can  fire  only  a  bounded  number  of 

times  in  B*  .  Assume  (inductive  hypothesis)  that  any  A- 
o 

sequence  can  fire  only  a  bounded  number  of  times  in  B!^  .  It 
follows  from  "Bi+1  fl  A(D  •  T)  £A(B.)  that  any  A-sequence  can 
put  only  a  bounded  number  of  tokens  (cumulatively)  on  B^  ,  and 
hence  can  fire  only  a  bounded  number  of  times  in  B^+^‘  • 

Now,  we  show  that  B^  s  * 

Assume  B.  £  B . , . :  There  must  be  a  place  p  €  D  -  T  such  that: 
i  i+i 

p  if  Bi+1,  i.e.:  g  pQ  6  (D  -  T)  -  Bi  :  P  6  (A(pq))' 
p  €  B  ,  i.e.:  <  p'  €  (D  -  T)  -  B^  :  p  6  (A(p'))* 

Hence,  we  must  have:  pq  £  B^ 

p  €  B.  , 
o  i  -1 

That  is  to  say:  ®i-l  ^  Bi 


By  repeating  the  argument  for  decreasing  values  of  i,  we  get: 
Bl*Bi+l  -  Bo*Bl 

But  this  leads  to  a  contradiction:  There  must  be  a  place 
p  €  D  -  T  such  that : 

p  t  Bl,  i.e.:  a  PQ  €  (D  -  T)  -  Bo  :  p  €  (A(po))* 


p  €  Bq,  i.e. :  t  p'  €  D  -  T 


:  P  €  (A  (p ' )  ) ' 


which  implies  both  pQ  €  D  -  T  and  pQ  £  D  -  T. 

This  permits  us  to  rewrite  the  definition  of  B.  .  as: 
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Bi+1  =Bi  U  fp  €  (D-T)  -Bi|<p*  €  (D-T)-Bi  :p  €  (A(p'))‘) 

111611  Bi+1  •  Bi  =  0  «  (D  -  T)  -  B.  =  0  or 

VP  €  (D  -  T)  -  B.  gp'  €  (D-T)-B.  :p£  (Ap'))* 

But  the  second  alternative  is  impossible  since  A  is  circuit-free. 

Hence,  since  Bi  g  B  g  D  -  T 

Bi+1  =  Bi  °  B.  =  D  -  T 

This  implies  that  the  sequence  Bi  grows  strictly  until  it  covers 
all  of  D-T.  In  particular,  D-T  is  some  B^  and  hence,  by  induction: 

Any  A-sequence  can  fire  only  a  bounded  number  of  times  in  (D  -  T)’ 
Since  no  A-sequence  fires  in  T*  ,  and  (D  -  T)*  U  T*  =  D'  ,  we  have: 

There  is  an  upper  bound  on  the  number  of  times  any  A-sequence  can 
fire  in  D  .  Hence,  there  exists  an  A-sequence  which  leads  to  a 
marking  M  such  that  no  A-sequence  starting  at  M  can  fire  in  D'. 


The  circuit-free  allocation  is  shown  in  bold. 
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So  far,  we  have  not  used  the  Free-Choice  Hypothesis.  Now  we 
show  that,  in  a  Free-Choice  net,  every  firing  sequence  starting  at 
M  is  an  A-sequence,  and  hence  does  not  fire  in  D*. 

Assume  there  is  a  firing  sequence  cTtQ  that  starts  at  M  and  is 
not  an  A-sequence-, -  but  a  is  an  A-sequence,  i.e.  at  is  the  shortest 
non-A-sequence  from  marking  M.  Hence,  we  must  have  p  6  "t  such 
that : 

p  €  D  -  T 

A(p)  =  t.  ^  t 
l  o 

But  then,  by  Free-Choice  hypothesis:  "t  =  {p} 

•t1  =  fp} 

and  (tQ  firable  at  M[CT>)  =>  firable  at  M[a»  .  But  is  an 
A-sequence  and  t^  f  D'  :  this  contradicts  our  hypothesis  that  no 
A-sequence  starting  at  M  can  fire  in  D* . 

This  proves  Lemma  4. 


Lemma  4  immediately  implies: 

Theorem  2 :  If  a  Free  Choice  net  is  live,  every  deadlock  contains  a 
marked  trap. 

Proof :  If  some  deadlock  does  not  contain  a  marked  trap,  its  maximal 

trap  must  be  blank:  apply  Lemma  4. 

From  Theorems  1  and  2  follows 


Commoner's  Liveness  Theorem:  A  Free-Choice  Net  is  live  if  and  only  if 
(Theorem  3)  every  deadlock  contains  a  marked  trap. 
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4.2  Safeness;  Live-and-Safe  Markings 

For  our  purposes,  it  is  not  very  interesting  to  study  safeness  in 
non-live  nets.  For  example,  «*ery  Petri  Net  that  has  no  zero- 
input  transitions  has  at  least  one  safe  marking:  The  blank  marking. 
Hence,  the  concept  of  Live-and-Safe  is  studied  rather  than  safeness  for 
its  own  sake. 

4.2.1  Definition  of  a  Covering  of  a  Petri  Net 

Deadlocks  and  traps  have  been  defined  as  sets  of  places.  However, 
we  also  use  sets  of  transitions  associated  with  such  sets  of  places,  both 
in  the  definition  D  Q  D'  and  in  applications:  cf.  proofs  seen  so  far. 
So,  we  define  the  concept  of  a  consistent  subnet  defined  by  a  set  of 
places  Q: 

Definition :  A  consistent  subnet  of  a  Petri  Net  <n,  E>  defined  by  a  set 
of  places  Q  £  II  is  the  Petri  Net  <Q,  ’Q  U  Q’>,  i.e.  the  net 
consisting  of  Q  and  all  transitions  directly  connected  to  Q. 


Example : 


Consistent  Subnet 
defined  by  fP2,P3) 


Original  net 


We  also  define  the  union  of  two  consistent  subnets  defined  by  Q  c  n 
and  Q'  e  II  as  the  consistent  subnet  defined  by  Q  U  Q1. 
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Definition:  A  Petri  Net  is  covered  by  a  collection  of  consistent  sub¬ 
nets  if  the  union  of  these  consistent  subnets  over  the  col¬ 
lection  is  the  whole  net,  or  equivalently,  if  every  place 
is  in  some  consistent  subnet  of  the  collection. 


We  say  that  these  subnets  form  a  covering  of  the  original  net. 


Note  that  if  Q  is 


a  deadlock,  it's  consistent  subnet  is  (Q,  Q*> 
a  trap,  it's  consistent  subnet  is  (Q,  *Q>. 


4.2.2  A  Necessary  Condition  for  a  Live-and-Safe  Marking  in  a  Free 
Choice  Net 

The  prototype  of  a  live  and  safe  net  is  a  net  where  there  is  always 

! 

only  one  token.  Strongly  connected  State  Machines,  where  every  transition 
has  exactly  one  input  and  one  output  place,  have  such  one-token  live  and 
safe  markings.  We  will  show  that  the  concept  of  one-token  Strongly 
Connected  State  Machine  (SCSM)  is  central  to  the  discussion  of  Live  and 
Safe  Free  Choice  Nets. 

We  shall  first  prove  that  if  a  Free  Choice  Net  is  live  and  safe, 
there  must  exist  a  covering  of  one-token  SCSM's. 

First  we  note  that  if  the  net  is  live  and  safe  at  marking  M,  the 
marking  M1  obtained  by  removing  one  token  from  M  is  not  live.  For  if  it 
were,  we  could  get  another  stone  on  the  place  where  the  previous  stone 
was  removed,  and  hence  the  marking  M  would  have  been  unsafe.  (We  must 
exclude  here  nets  that  have  isolated  places,  i.e.  not  connected  to  any 
transition,  this  should  not  be  a  severe  restriction  however.  ) 


Theorem  4:  If  a  Free -Choice  net  is  Live  and  Safe,  there  is  a  covering 
by  one-token  Strongly  Connected  State  Machines: 

LSFC  =>  covered  by  one -token  SCSM's. 

Proof :  a)  Live  and  Free  Choice  =>  every  deadlock  contains  a  marked 

trap. 

Live  and  Safe :  If  we  take  one  token  away,  the  net  is 


non-live,  and  some  deadlock  has  a  blank  maximal  trap. 
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(We  need  both  the  necessary  and  sufficient  condition  for  liveness.) 

Hence :  LSFC  =»  every  token  is  the  unique  token  of  the  maximal  trap  in 
some  deadlock. 


b)  Suppose  such  a  deadlock  is  not  minimal.  Then  the  token  of 
the  maximal  trap  will  be  in  the  maximal  trap  of  some  smaller 
deadlock.  (There  is  only  one  token  available,  every  dead¬ 
lock  must  contain  a  marked  maximal  trap,  and  the  maximal 
trap  of  the  smaller  deadlock  is  contained  in  the  maximal 
trap  of  the  containing  deadlock.) 


Hence : 


o*° 


LSFC  =>  Every  token  is  the  unique  token  of  the  maximal  trap  in 
some  minimal  Deadlock. 

c)  In  a  FC  net,  the  consistent  subnet  defined  by  a  minimal 
deadlock  4oes  not  contain  a  transition  with  more  than  two 
input  places.  If  there  were  such  a  transition,  its  input 
places  would  have  no  other  output  transition  (Free  Choice). 
But  then  we  could  take  away  all  but  one  input  place  and 
still  have  a  deadlock:  The  deadlock  was  not  minimal. 
Therefore,  the  number  of  tokens  in  the  maximal  trap  of  a 
minimal  deadlock  in  a  FC  net  may  not  decrease  by  any  firing 
sequence . 


Now  suppose  the  consistent  subnet  defined  by  the  maximal 
trap  in  the  minimal  deadlock  has  a  transition  with  two 
output  places.  If  the  net  is  live,  every  firing  of  this 
transition  increases  the  number  of  tokens  on  the  trap.  But 
it  cannot  decrease:  unbounded,  hence  unsafe. 


Hence :  The  maximal  trap  in  a  minimal  deadlock  of  a  live  and  safe  Free- 
Choice  Net  defines  a  State  Machine  as  consistent  subnet. 


Suppose  the  maximal  trap  is  not  a  deadlock  itself.  There 
must  be  a  transition  which  puts  a  token  on  the  trap  without 
taking  one  away,  hence  liveness  implies  unsafeness,  as  above. 
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Hence:  LSFC  =>  every  minimal  deadlock  is  a  trap  and  defines  a  State 
Machine. 


f)  Suppose  a  minimal  deadlock  that  is  a  non-strong ly  connected 
State  Machine : 


But  then,  if  AB  is  a  deadlock,  so  is  A,  hence  AB  cannot  be 
minimal . 


LSFC  =>  every  minimal  deadlock  defines  a  SCSM. 

g)  From  b)  and  f)  it  follows  that  every  token  is  the  unique  token 
in  a  SCSM.  But  the  net  is  assumed  to  be  live:  any  place  can 
hold  a  token  at  some  time.  (We  exclude  nets  with  isolated  places.) 

Hence :  LSFC  =>  covered  by  one-token  SCSM's. 


q.e.d. 


4.2.3  Sufficiency  Condition  for  Safeness  in  a  Live  Free  Choice  Net. 

Now  we  wish  to  prove  that  a  one-token  SCSM  covering  is  sufficient 
for  safety,  and  derive  a  necessary  and  sufficient  condition  for  live- 
and-safeness  of  a  Free  Choice  net. 

Lemma  5 :  In  a  Free  Choice  net  that  does  not  have  a  live  and  safe 

marking,  every  live  marking  is  unbounded  (some  place  col¬ 
lects  an  unbounded  number  of  tokens). 

Proof:  By  hypothesis,  every  live  marking  is  unsafe.  From  the  live¬ 

ness  theorem  we  know  that  if  a  marking  M  is  live,  so  is  the 
marking  M'  =  M  fl  1  obtained  by  removing,  from  every  place,  every 
token  except  one :  Every  trap  remains  marked. 
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Let  M  be  a  live  marking,  hence  unsafe.  We  shall  fire  until 

°  -4 

we  reach  a  marking  >T  €  Mq  where  some  place  has  more  than  one 
token.  We  now  paint,  in  every  place,  every  token  red  except 
one,  and  pledge  not  to  move  the  red  tokens  anymore.  We  con¬ 
tinue  firing  with  the  non-painted  tokens,  effectively  we  fire 

now  in  M,  where  M,  =  M1  fl  1. 
l  1  o 

Since  is  live,  it  is  unsafe;  fire  until  where  some 
place  contains  more  than  one  token,  paint  some  tokens  red, 
continue  firing  in  M2  where  ^  =  M|  (1  1,  etc.  At  each  step, 
the  number  of  red  tokens  strictly  increases.  But  our  pledge 
not  to  move  them  is  perfectly  consistent  with  the  firing  rule 
in  any  marking  in  M.  together  with  all  red  tokens  ac~ 
cumulated  so  far  is  a  marking  in  M  :  M  is  unbounded:  there 

o  o  . 

is  no  bound  on  the  number  of  tokens  in  the  markings  of  M  . 

o 

c| .  e .  d . 

The  above  lemma  only  depends  on  the  fact  that  liveness  is  deter¬ 
mined  by  places  having  tokens  or  not,  in  contrast  to  having  a  specific 
number  of  tokens.  This  property  holds  for  FC  nets  but  not  for  more 
general  nets: 
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But  it  is  false  for  the  following  net: 


4.3  The  Live-and-Safeness  Theorem 


No  live  marking  is  safe,  but 
the  marking | M(p^)  =  2 

M(p2)  =  1 

is  live,  unsafe,  bounded . 


But  removing  one  token 
from  p^  kills  the  net  . 
Surprisingly,  adding  one 
token  to  p2  also  kills  the 
net! 


Theorem  5 :  If  a  Free  Choice  net  is  covered  by  Strongly  Connected  State 
Machines  and  has  a  live  marking,  it  has  a  live  and  safe 
marking . 

Proof :  The  number  of  tokens  on  any  of  the  covering  SCSM's  is  constant 
for  all  firing  sequences.  Hence  an  upper  bound  for  the  number 
of  tokens  is  the  sum  of  the  number  of  tokens  over  all  covering 
SCSM's.  (If  a  token  is  shared  among  several  covering  SCSM's, 
it  is  counted  several  times.)  But  then,  by  lemma  5,  if  there 
is  a  live  marking  there  must  be  a  live  and  safe  marking. 


q.e.d. 


From  the  proof  of  Theorem  4  (necessary  condition  for  safeness)  it 
follows  that  in  a  live  and  safe  Free  Choice  net  every  minimal  deadlock 
is  a  SCSM.  Conversely,  a  SCSM  is  always  a  minimal  deadlock  and  con¬ 
tains  a  trap,  namely  itself. 

Hence : 
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Live-and-Safeness  Theorem:  A  Free  Choice  net  is  live  and  safe  if  and  only 
(Theorem  6)  if  it  is  covered  by  one- token  SCSM's  and  every 

minimal  deadlock  is  a  marked  SCSM. 

The  following  example  shows  the  importance  of  the  word  marked 

SCSM: 


covered  by  one-token  SCSM's 
every  minimal  deadlock  is  a  SCSM 
some  minimal  deadlock  is  blank 

not  Live  and  Safe 


covered  by  one -token  SCSM's 

every  minimal  deadlock  is  SCSM, 
and  marked 

some  minimal  deadlock  has  2 
tokens 

Live  and  Safe 
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Corollarv :  A  Free  Choice  net  has  a  live  and  safe  marking  if  and  only 
if  it  is  covered  by  SCSM's  and  every  minimal  deadlock  is  a 
SCSM. 

Proof:  The  only-if  part  follows  immediately  from  Theorem  6.  Now 

suppose  every  minimal  deadlock  is  a  SCSM,  hence  contains  a 
trap:  The  marking  that  has  at  least  one  token  on  each 
SCSM  is  live.  Then,  by  Theorem  5,  it  has  a  live-and-safe 
marking . 

q.e.d. 
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Preceding  page  blank 


CHAPTER  5 

Decomposition  of  Free  Choice  Petri  Nets 

5.1  Well-Formedness  in  Free  Choice  Petri  Nets 

In  the  Live-and-Safeness  Theorem  (Theorem  6)  we  used  the  concept 
of  a  covering  by  Strongly  Connected  State  Machines.  In  this  chapter 
we  shall  consider  an  algorithm  for  obtaining  such  a  decomposition. 

There  may  be  several  possible  coverings  of  SCSM's  that  satisfy  the 
corollary  of  Theorem  6  (Existence  of  a  Live-and-Safe  Marking).  Our 
algorithm  will  produce  all  such  coverings.  If  the  net  has  no  SCSM 
coverings  that  satisfy  Theorem  6,  the  algorithm  will  produce  subnets 
that  are  not  strongly  connected,  or  not  State  Machines.  This  gives  us 
yet  another  test  for  the  existence  of  a  Live-and-Safe  Marking  in  a  Free 
Choice  net. 

For  convenience,  we  shall  call  a  Free  Choice  net  that  satisfies  the 
corollary  of  Theorem  6  a  Well-Formed  (WF)  Free  Choice  Net.  This  chapter 
then  discusses  various  Well-Formedness  criteria  and  tests. 

Definition :  A  Free  Choice  Petri  Net  is  Well-Formed  if  it  is  covered  by 
Strongly  Connected  State  Machines  and  every  minimal  dead¬ 
lock  is  a  Strongly  Connected  State  Machine. 

Corollary :  A  Free  Choice  Petri  Net  has  a  Live-and-Safe  Marking  if  and 

only  if  it  is  We 11- Formed . 

FC:  3LS  »  WF 

5.2  Duality.  Reverse -Duality;  Open  and  Closed  Consistent  gjbnets 

The  decomposition  algorithms  and  proofs  in  this  chapter  require  the 
definition  of  some  new  concepts. 

If  we  compare  the  definitions  of  Deadlocks  and  Traps,  or  State 
Machines  and  Marked  Graphs,  we  note  a  striking  similarity:  A  Trap  has 
the  same  definition  as  a  Deadlock  if  we  reverse  all  arrows,  i.e.  if  we 
transpose,  throughout  the  definition,  the  words  input  and  output .  A 
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Marked  Graph  has  the  same  definition  as  a  State  Machine  if  we  transpose, 
throughout  the  definition,  the  words  place  and  transition.  In  che  first 
case,  we  say  that  a  Deadlock  is  the  reverse  of  a  Trap  (and  vice  versa); 
in  the  second  case,  we  say  that  a  Marked  Graph  is  the  dual  of  a  State 
Machine  (and  vice  versa). 

If  we  now  look  at  the  definition  of  a  Free  Choice  Net,  we  observe 
that  by  transposing  the  words  input  and  output  (and  a^so  transpose  to  and 
from),  and  then  transposing  the  words  place  and  transition,  we  get  the 
same  definition: 


before :  Every  arc  from  a  place  to  a  transition  is  either  the 

unique  input  arc  to  a  transition,  or  the  unique  output 
arc  from  a  place. 

after :  Every  arc  to  a  transition  from  a  place  is  either  the 

unique  output  arc  from  a  place,  or  the  unique  input 
arc  to  a  transition. 

We  express  this  by  saying  that  the  reverse-dual  of  a  Free  Choice  Net  is 
a  Free  Choice  net. 

Formally,  we  have: 

Definition:  •  The  reverse  of  a  Petri  Net  (n,  E,  •)  is  a  Petri  Net 

<11',  E'f  o)  such  that  there  are  two  bijections  cp  and 


primal 


reverse 
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Definition:  •  The  dual  of  a  Petri  Net  (II,  E»  *)  is  a  Petri  Net 

(II1,  S',  o)  such  that  there  are  two  bijections  cp  and 

cp  :  n  -*  S  *\  Vp  €  n\ 

I  and  I  p  •  t  o  co (p)  ©  \J/(t) 

i|[  :  E  -»  II '/  Vt  €  E/ 

(place-transition  interchange) 


primal 


dual 


Definition :  •  The  reverse-dual  of  a  Petri  Net  (II,  £,  •)  is  the  net 

(II',  S',  o)  such  that  there  are  two  bijections  9  and  (• 


primal  reverse-dual 


It  is  clear  that:  reverse  of  dual  =  dual  of  reverse  =  reverse-dual 

dual  of  dual  =  primal 
reverse  of  reverse  =  primal 
reverse-dual  of  reverse-dual  =  primal 
(primal  =  the  original  net) 
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Lemmab:  The  reverse-dual  of 


Free -Choice  is  Free  Choice. 

State  Machine  is  Marked  Graph 
Marked  Graph  is  State  Machine 
Strongly  connected  is  Strongly  Connected. 


Proof : 


Let  the  primal  be  (II,  E,  ') 

Let  the  reverse-dual  be  (ty  (E) «  9^)’ 
where  cp  and  f  are  bijections. 

Then:  (FC  in  primal)  s  (Vp€H  Vt€E-  P  *  t 
But,  in  the  reverse-dual,  we  get: 


«  p*  ={t)  or  -t  =  {p}) 


p  •  t  o  t](  (t)  •  tp(P) 


p-  =  (t)  »  ’cp(p)  - 

‘t  =  (p)  «  =  MP>} 

hence :  *  («)  .  »<»)  -  Vp>  '  U  <«»  *  *' “>°  = 

.  f  «,  f  -  tp’l  —  P”  ■  (t’) 


Example 


The  three  remaining  points 


of  the  Lemma  are 


trivial . 


1: 


Strongly  connected  Free  Choice  net 
to  be  Half  '  rev* re# ‘duel. 


This  example  happens 


reverse-dual 


(y) 


of  a  Petri  Net  <11,  E)  is  the  Petri  net  (*T  U  T* ,  T> . 

We  shall  emphasize  the  distinction  of  the  two  kinds  of  consistent  sub¬ 
nets  by  calling  them  closed  and  open  respectively: 

Definition :  •  A  closed  consistent  subnet  is  a  subnet  <11,  £)  such  that 

E  =  'II  U  IT  <def ined  by  its  places) 

,  An  open  consistent  subnet  is  a  subnet  <11,  E)  such  that 
II  =  'E  U  E*  (defined  by  its  transitions). 
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The  distinction  takes  its  name  from  the  fact  that  the  former  is  separated 
from  the  rest  of  the  net  by  a  boundary  of  transitions,  the  latter  by  a 
boundary  of  places  (more  "open"  than  transitions). 

To  every  statement  about  a  Free-Choice  Petri  net  corresponds  a 
statement  about  the  reverse-dual  net: 


primal 

reverse-dual 

place 

transition 

input  (to) 

output  (from) 

input  arc  to  a  transition 

output  arc  of  a  place 

covering  by  SCSM's 

covering  by  SCMG's 
(Strongly  Connected  Marked  Gx 

Closed  Consistent  Subnet 

Open  Consistent  Subnet 

SM-allocation 

MG-al location 

etc, 


Note  also  that  the  reverse  of  a  trap  is  a  deadlock,  but  we  have  no  inter¬ 
pretation  yet  for  the  dual  or  the  reverse-dual  notion  of  a  trap. 


5.3  Decomposition  of  a  Free-Choice  Net  into  a  Covering  of  SCSM's 

We  shall  describe  a  reduction  method  which,  given  an  FC  net,  con¬ 
structs  all  possible  SCSM's  that  form  a  covering.  The  method  is  such 
that  if  the  net  is  well-formed,  every  reduction  yields  a  SCSM  and  they 
cover  the  net;  if  the  net  is  not  well- formed,  some  reduction  will  not 
yield  a  SCSM,  or  the  reductions  will  not  cover  the  net. 

We  recall,  from  the  proof  of  Theorem  4,  that  in  a  Free  Choice  net 
■a  can  construct  a  minimal  deadlock  by  choosing  any  one  of  the  input 
places  to  a  transition  that  has  one  output  place  committed  to  the  dead¬ 
lock.  So,  to  reduce  the  net  to  one  of  its  component  SCSM's  we  make 
such  a  choice  ahead  of  time  for  all  transitions. 


The  boundary  of  a  subnet  (fl',  S')  in  a  net  (n,  S)  is  the  set 
{x|x  €  IT  U  S'  and  (x’  U  ’x)  0  ((II  -  II')  U  (S  -  S'))  *  0} 
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We  shall  therefore  define  an  allocation  of  input  places  to  transi¬ 
tions  much  like  we  defined  an  allocation  of  output  transitions  to 
places  in  the  proof  of  Lemmas  3  and  4.  Since  we  wish  to  construct 
state  machines,  we  distinguish  this  allocation  by  calling  it  a  state- 
machine  allocation,  or  SM-allocation. 

IMPORTANT  NOTE;  We  shall  from  now  on  interpret  "strongly  connected"  and 
"SC"  as  "consisting  of  strongly  connected  components." 

Hence,  a  reduced  net  consisting  of  several  disjoint  but  individually 
strongly  connected  State  Machines  (or  Marked  Graphs)  will  also  be  called 
SCSM  (or  SCMG) . 

Definition:  An  SM-allocation  over,  a  Free  Choice  net  (II, 
is  a  function  B  :  E  -»  II  such  that : 

Vt  €  E  B(t)  €  *t 

Given  such  an  SM-allocation  B  we  will  now  reduce  the  net  to  a  SCSM 
(if  possible)  that  does  not  contain  unallocated  places: 

Step  1:  Delete  all  unallocated  places.  01  -  B(E)) 

Step  2:  Delete  all  transitions  that  have  all  output  places 
already  deleted. 

Step  3:  Delete  all  places  that  have  at  least  one  output 
transition  already  deleted. 

Repeat  Steps  2  and  3  until  neither  is  applicable  anymore. 

What  is  left  over  is  the  reduced  net.  Each  step  eliminates  some  elements 
that  would  not  be  part  of  a  SCSM  consistent  with  the  SM-allocation. 

Formally,  we  construct  the  sets  of  eliminated  places  (E  )  and  tran¬ 
sitions  (Efc)  as  follows,  given  an  SM-allocation  B  on  a  FC  net  (II,  E) : 
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ifp  e  ri\  *t  -  (b (t> }  =  e 


Vt  e  y  f  £  Ep  »  t  €  Et 


(step  1) 
(step  2) 


p‘  n  Et  ^  0  »  p  €  Ep  (step  3) 


Then  the  SM-reduced  net  is  defined  as  the  Petri  Net  (II  -  E^,  E~Et), 
say  <Qp,  Qt>.  Hence: 


Qp  "  n  ‘  Ep 

Qt  =  S  -  Et 


From  the  definition  follows  immediately: 

%  =  \ 

■«P  =  £  Qt 


and  hence : 


Qp  =  -Qt  n  q; 

•Qp  U  Qp  =  Qt 

Now  assume  t‘  f!  Q  =0 
P 

It  follows  that:  t’  £  E 

P 

t  €  E 
t  (  Qt 

Hence :  (t  f  Q,)  =  (t '  fl  Q  M)  »  (3peQp:t€'p)  =  (t  i  'Qp) 

l.e.  Qt  =  'Qp 

Hence:  ’Qp  U  c  Qfc  £  ’Qp 

i>e  .  q  =  *Q  U  Q’  (closed  consistent  subnet) 


Q’  c  'Q 
XP  P 


(trap) 


Also,  by  construction,  Vt  |’t  0  Q  J  <:  1:  (non- decreasing) 
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Lemma  7 :  An  SM-reduction  of  a  FC  net  is  a  closed  consistent  subnet  de¬ 
fined  by  a  non-decreasing  trap. 

We  shall  now  prove  a  sufficient  condition  for  Well-Formedness  in  terms 
of  SM-reductions  of  a  FC  net: 

Theorem  7 :  If  every  SM-reduction  of  a  FC  net  is  a  SCSM,  and  they  cover 
the  net,  then  the  net  is  WF. 

Proof :  All  that  is  required  to  prove  is  that  every  minimal  deadlock 

(D,  D‘>  is  a  SCSM. 

We  know  that  because  D  is  minimal  in  a  FC  net, 

Vt  €  D*  j*t  n  D|  =  1 

We  say  that  an  SM-allocation  B  and  the  corresponding  SM- 
reduction  are  consistent  with  the  minimal  deadlock  D 

if!  Vt  €  D’  :  *t  n  D  »  (b (t ) } 

Such  allocations  exist  because  of  the  fact  that  |'t  0  d|  = 1. 
(Note  that,  since  the  deadlock  is  minimal,  this  implies 
B(D-)  =  D.) 

First,  we  show  that  the  minimal  deadlock  D  must  inter¬ 
sect  each  SM-reduction  (Qp,  Qt>  consistent  with  D,  i.e.  that 

D  n  Qp  *  0. 

Assume  the  contrary:  D  0  Qp  =  0  for  every  SM-allocation 
B  consistent  with  D,  whose  associated  SM-reduction  is  (Q  ,  Q^. 

case  1:  yt  €  D’  j  *  1 1  =  1 

In  this  case,  every  SM-allocation  is  consistent  with  D, 
hence  deletes  all  of  D  (since,  by  assumption,  D  (1  Q  =0). 
contradicts  the  fact  that  the  reductions  cover  the  net. 


case  2:  at  €  D*  j'tj  ;>  2 

For  any  SM-allocation  B'  not  consistent  with  D,  let: 
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* fco  n  d  =  (po) 

B'(to)  =  Pi 

P1  ^  Po  (B'  not  consistent  with  D) 

Then,  every  SM-allocation  not  consistent  with  D  (such  as  B') 
deletes  Pq  (Step  1:  Pq  is  unallocated).  But,  by  assumption, 
every  SM-allocation  consistent  with  D  also  deletes  p  : 

The  reductions  do  not  cover:  contradiction. 

Hence:  Every  minimal  deadlock  D  intersects  some  SM-reduction 
<Qp»  Qt>  consistent  with  D: 

D  n  Qp  *  0 

Now,  let  p  €  D  H  0 

P 

then:  'p£D'  because  D  is  a  deadlock. 

P  c  Qfc  because  the  reduction  is  a  Closed  Con¬ 
sistent  subnet. 

also,  Vt  €  ‘p  :  * t  f)  D  =  B(t)  £  Q 

P* 

because  Che  reduction  <Qp,  Qt>,  defined  by  SM-allocation  B, 
is  consistent  with  (D,  D'). 

Hence:  *  (*p)  n  D  c  Q  n  D 

P 

By  repeating  this  process  for  each  place  in  •  fp)  along  back¬ 
wards  paths  until  D  or  Qp  is  exhausted  (which  must  happen 
since  D  and  Qp  are  minimal  deadlocks  -  the  latter  because  it 
is  SCSM  -  and  hence  every  place  can  be  reached  by  a  back¬ 
wards  path)  we  get  0  =  Qp  or  Qp  =  D.  But  since  both  are  mini- 
mal  deadlocks,  we  must  have: 


Hence  D  is  SCSM. 


q.e.d. 
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5.4  Decomposition  of  a  PC  Net  Into  a  Covering  of  Strongly  Connected 

Marked  Graphs 

A  Free-Choice  Net  can  be  considered  as  an  extension  of  State  Ma¬ 
chines  by  allowing  Marked-Graph-type  concurrency,  or  as  an  extension  of 
Marked  Graphs  by  allowing  State-Machine -type  conflict.  Historically, 
this  view  is  at  the  origin  of  the  concept  of  Free-Choice  nets. 

So  far,  we  were  concerned  with  the  State-machine-like  behavior  of 
FC  nets.  But,  noting  that  the  reverse-dual  of  a  FC  net  is  also  FC, 
we  shall  now  use  this  as  a  tool  for  analyzing  Marked-Graph-related 
properties . 

We  used  SM-allocation  reduction  to  get  a  decomposition  into  Closed 
Consistent  Subnets.  Now,  we  define  Marked-Graph  allocation  as  the  re¬ 
verse-dual  concept  and  use  it  to  get  Open  Consistent  Subnets. 


Definition:  A  Marked-Graph  Allocation  (MG-allocation)  over  a  Free  Choice 
net  <n,  E)  is  a  function 

A  :  II  -♦  2 

such  that  Vp  €  II :  A(p)  €  p‘ 

This  is  exactly  the  type  of  allocation  we  used  over  a  sub¬ 
set  of  places  in  the  proof  of  Theorem  2. 

Now  we  define  MG-reduction,  given  an  MG-allocation  A,  by  translating  the 
definition  of  SM-reduction  into  the  corresponding  reverse-dual  concepts: 

Step  1:  Delete  all  unallocated  transitions. 

Step  2:  Delete  all  places  that  have  all  input  transitions  al¬ 
ready  deleted. 

Step  3:  Delete  all  transitions  i:hat  have  at  least  one  input 
place  already  deleted. 


Repeat  Steps  2  and  3  until  neither  is  applicable  anymore. 
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What  is  left  over  is  the  reduced  net.  Each  step  eliminates  some 
elements  that  would  not  be  part  of  a  SCMG  consistent  with  the  MG- 
allocation. 

However,  we  can  also  interpret  this  reduction  as  the  elimination 
of  all  those  parts  in  the  net  that  would  not  be  active  if  we  were  to  use 
the  allocation  as  a  choice  for  multiple -output  places:  We  deliberately 
choose  not  to  fire  unallocated  transitions  (Step  1);  if  all  token  flow  is 
interrupted  to  a  place,  that  place  becomes  inactive  (Step  2);  and  if 
some  input  place  to  a  transition  is  inactive,  that  transition  will  be 
inactive  (Step  3).  This  description  is  informal  at  best,  but  if  we 
interpret  "inactive”  as  "receiving  only  a  finite  number  of  tokens,"  or 
"firslle  only  a  finite  number  of  times,"  it  will  be  useful  for  proofs 
about  liveness . 

Formally,  we  define  the  reduced  net  as  follows: 


Sets  of  deleted  places  Ep, 


deleted  transitions  Efc : 


Vp  €  IT 
Vt  €  E, 


p*  -  (A(p) }  C  Efc  (step  1) 

'pCEj.  «  p  €  Ep  (Step  2) 

*triEp*0  «  t(Et  (Step  3) 


The  MG-redueed 

where  0  =  II  - 

P 

Q^r- 


net,  via  MG-allocation  A, 


E 


E 


P 

t 


is  the  net  (Qp,  Qfc) 


As  in  the  case  of  SM-reduction,  we  get  by  reverse-duality: 


Qp  =  Q'  U  ’Qt  =  Q’  5  Open  Consistent  Subnet 

•Qt  =  Q* 

Vp  |p*  n  Qt|  £  1  Conflict-free 


We  have  no  significant  interpretation  yet  for  *Qt  c  Q’. 
these  facts  by: 


We  summarize 
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LeirmjO:  An  MG-reduction  of  a  FC  net  is  a  conflict-free  open  consistent 
subnet.  MG-reductions  provide  us  with  a  necessary  condition 
for  well-formedness. 

Lemma_9:  If  some  MG.reduction  of  a  Fc  net  ig  emptv  the  net  .g  not  Uve> 

Proof;  If  some  MG-reduction  is  empty,  the  set  of  eliminated  transi¬ 

tions  Et  and  eliminated  places  Ep  form  the  whole  net,  for  some 
MG-allocation  A.  Let  us  do  the  reductions  step  by  step  and 
check  for  possible  firings  of  the  eliminated  transitions  by 
A-sequences  (see  proof  of  Theorem  2). 

Ste£_l:  No  A-sequence  fires  any  unallocated  transition,  by 
definition.  We  start  building  Et  with  transitions 
firable  at  most  a  bounded  number  of  times. 

~tep  2:  Eliminate  those  places  that  have  only  deleted  input 
transitions.  By  inductive  hypothesis,  these  transi¬ 
tions  can  only  fire  a  bounded  number  of  times. 

Hence,  these  eliminated  places  can  fire  their  output 
transitions  only  a  bounded  number  of  times. 

Ste£_3:  Eliminate  those  transitions  that  have  at  least  one 
input  place  deleted.  By  the  explanation  of  step  2, 
they  can  fire  only  a  bounded  number  of  times:  This 
supports  the  inductive  hypothesis  of  bounded  firabil- 
ity  for  a  repetition  of  steps  2  and  3. 

Since  all  transitions  will  be  eliminated  by  hypothesis,  every 

A-sequence  can  fire  each  transition  only  a  bounded  number  of 
times . 

Now  let  M  be  any  marking,  and  let  a  be  an  A-sequence  such  that 

no  transition  is  firable  by  an  A-sequence  starting  at 

M'  =  M[a>.  We  just  proved  the  existence  of  such  an  A-sequence. 
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By  the  same  reasoning  as  used  in  the  proof  of  Lemma  4,  we  show 
every  firing  sequence  starting  at  M'  must  be  an  A-sequence,  i.e. 
no  transition  can  be  fired  by  any  firing  sequence  starting  at 
M1.  For  suppose  some  transition  is  firablc  at  M  .  It  must  be 
an  unallocated  transition  tQ  €  P;  -  (A(Pq)}  for  some  pQ,  since 
it  must  be  part  of  a  non-A-sequence.  But,  by  Free  Choice 
hypothesis :  tQ  firable  »  A(pQ)  firable,  which  contradicts 
the  assumption  that  no  A-sequence  can  fire  at  M' . 


Lemma  10:  If  some  MG-reduction  of  a  live  FC_net  is  not  a  SCMG,  the  net 
is  unsafe. 

Proof:  a)  Let  us  consider  the  MG-reduction  within  the  original  net. 

Since  each  transition  in  the  subnet  has  all  the  places  con¬ 
nected  to  it  both  in  the  original  net  and  in  the  subnet  (ogen 
consistent  subnet)  a  transition  is  firable  in  the  subnet  if 
and  only  if  it  is  firable  in  the  original  net,  and  the  effect 
of  that  firing  on  the  marking  is  the  same.  Hence,  if  a 
firing  in  the  subnet  leads  to  an  unsafe  marking,  the  net  is 
unsafe;  if  it  leads  to  a  marking  where  no  transition  in  the 
subnet  can  be  fired  (A-sequence),  then  no  firing  sequence  in 
the  original  net  can  fire  any  transition  in  the  subnet;  in  this 
latter  case,  the  same  argument  used  in  Lemma  4  and  Lemma  9  ap 

plies  again. 

Hence :  Net  live  =*  MG-reduction  live 

MG-reduction  unsafe  =»  Net  unsafe 

b)  Now  consider  the  MG-reduced  net  <Qp,  Qt>  alone.  Assume 
it  has  a  live  marking.  We  shall  show  it  is  unsafe  if  it  is  not 

a  SCMG. 
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if  it  is  not  strongly  connected,  it  must  be  unsafe : 


(We  must  assume  here  that  no  transition  t  is  such  that  t*  =0; 
but  this  is  guaranteed  if  the  original  net  does  not  contain 
such  a  transition.) 


if  it  is  not  a  Marked  Graph,  it  must  contain  a  place  p  with 
more  than  one  input  transition,  since  more  than  one  output 
transition  is  excluded  by  construction.  Since  ’Q  £  Q’ 
there  exists  an  infinite  backwards  path  from  each  input  tran 
sition  to  p,  i.e.  the  backwards  path  ends  in  a  loop.  There 
are  two  cases  : 


the  paths  do  not  intersect: 
Then  liveness  implies  that  t^ 
and  t2  be  concurrently  firable, 
hence  p  is  unsafe. 
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Hence : 


Lemma 


Proof : 


the  paths  intersect.  Then,  since  no  place  has  several  outputs, 
the  paths  must  recombine  at  a  transition: 


Again,  liveness  implies  unsafeness , 
not  SCMg\ 


live 


unsafe 


q.e.d. 


:  If,  in  a  Strongly  Connected  Free  Choice  net,  every  MG-reduction 
is  strongly  connected  and  non-empty,  the  reductions  cover  the 
net. 

If  the  transitions  are  covered,  the  places  are  covered  because 
the  reductions  are  open  consistent  subnets.  Assume  some  tran¬ 
sition  jt  is  not  covered,  i.e.  t  is  not  in  any  MG-reduction. 
Since  the  net  is  strongly  connected,  we  have:  Vfc,  |'t|  s  1. 

Case  1:  |*t|  =  1.  Then,  if  every  reduction  eliminates  t, 

every  reduction  must  eliminate  t,  hence  all  of 
’(’t)  (Step  2  of  reduction).  If  all  t'  €  "(’t) 
are  such  that  |*t'|  =  1,  repeat  case  1  for  some 
t'.  If  not,  apply  case  2. 

Case  2:  |'t|  £  2.  This  case  must  arise  at  some  time  be¬ 

cause  if  not  the  search  assumed  in  case  1  would 
exhaust  the  net,  which  contradicts  the  assumption 
that  no  reduction  is  empty. 
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But  now,  by  Free  Choice  hypothesis,  each  place  in  't  is  a 
single-output  place.  If  each  reduction  eliminates  all  of 
't,  repeat  the  argument  for  t*  6  *("t)  as  in  case  1. 

If  some  reduction  eliminates  only  part  of  t,  since  it 
eliminates  t  there  would  be  places  without  output  transi¬ 
tions  in  the  reduced  net:  not  strongly  connected. 

In  any  case,  the  existence  of  an  uncovered  transition  im¬ 
plies  the  existence  of  either  an  empty  or  a  non-strongly- 
connected  MG-reduction, 

^ .  e .  d . 

From  Lemmas  9,  10,  and  11  and  Theorem  6  with  the  well-formedness 
colollary  we  get: 

Theorem  8:  If  a  Free  Choice  net  is  Well-Formed,  every  MG-reduction  is 
a  non-empty  SCMG  and  the  reductions  cover  the  net. 

5.5  The  Well-Formedness  Theorem 

We  are  now  ready  for  the  Well-Formedness  Theorem,  which  includes  all 
criteria  for  the  existence  of  a  Live  and  Safe  Marking,  including  Theorems 
7  and  8  and  their  converses. 

Well-Formedness  Theorem:  In  a  Free  Choice  Petri  net,  the  following  are 
(Theorem  9)  equivalent : 

a)  The  net  is  Well-Formed ; 

f-  every  minimal  deadlock  is  SCSM 
l-  there  is  a  covering  of  SCSM's 

b)  The  net  has  a  Live  and  Safe  marking. 

c)  The  reverse-dual  is  Well-Formed. 

d)  Every  SM-reduction  is  a  SCSM.  the  reduc¬ 
tions  cover  the  net,  no  reduction  is  empty. 
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e)  Every  Mn-redu.ction  is  a  SCMG,  che  reduc 
tions  cover  the  net,  no  reduction  is 
empty. 


Proof: 


(tote;  If  a  Is  a  statement  about  a  FC-net,  let  a'  be  the  same 
statement  For  the  reverse-dual  of  the  net. 

Example:  c  =  a' 

a  o  b:  Corollary  of  Theorem  6 
a  =»  e:  Theorem  8 

e  =  d',  reverse-dual  of  e  for  the  reverse-dual  net,  l.e. 

(e  for  primal)  «  (d  fot  reverse-dual) 

If  the  primal  Is  such  that  every  MG-reductlon  is  a  SCMG  etc., 
the  reverse-dual  is  such  that  every  SM-reductlon  Is  a  SCSM. 


a '  |  :  Theorem  7 


d'  =9  c 


Theorem  8 


for  the  reverse-dual  net 


e«  o  d  :  reverse-duality 

<j  =9  a  :  Theorem  7 

We  have  the  following  diagram  : 


primal 


Reverse-dual 
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The  implication  path  is  closed  and  hence  gives  us  the  equivalence 
of  statements  a,  b,  c,  d,  e,  a',  b’,  d*  and  e'. 

Remark:  Statement  d  is  more  complete  than  the  one  used  in 
Theorem  7;  the  part  "no  SM-reduction  is  empty"  follows  by  re¬ 
verse-duality  of  the  full  statement  of  Theorem  8.  It  is  not  es¬ 
sential  in  the  proof  of  this  theorem. 


q .  e .  d  • 


5 . 6  Examples  of  Decompositions 

We  give  below  four  examples  of  non -We  11 -Formed  Free  Choice  Petri 
Nets.  All  four  are  strongly  connected,  but  show  different  possibilities 
of  structural  unsouudness . 


Example  1 : 


(Reductions  shown  are  super¬ 
imposed  in  bold  on  the  original 
net. ) 


-  one  MG-reduction  is  not  a  MG  (shown). 

-  one  SM-reduction  is  not  a  SM. 

-  the  other  SM-reduction  is  empty. 

-  MG-r eductions  cover,  the  SM- 
reductions  do  not  cover. 


This  example  has  live  markings :  The  minimal  deadlocks  are 
(P^  P2»  P3)»  which  is  a  trap,  and  (p^  P;},  p^},  which  contains  the 
trap  {p^,  p^}.  But  no  live  marking  is  safe. 
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Example  2 ; 


one  MG-reduction  is  not  SC  (shown). 

the  other  MG-reduction  is  empty . 

one  SM-reduction  is  empty . 

neither  SM-reductions  nor  MG-reductions 
cover  the  net. 


two  MG-reductions  (one  is  shown)  are 
SCMG’s  and  cover  the  net. 

the  two  other  MG-reductions  are  empty. 

same  for  SM-reductions  (the  net  is 
self -reverse -dual) 


Examples  2  and  3  have  no  live  markings:  The  empty  MG-reduction  guaran¬ 
tees  the  existence  of  a  killing  sequence. 


i  Net  has 


>,  <tlt  t2>}.  1 

i .  We  call  sue! 


Ls  a  marking  s 
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MG-reduction  no.  1  of  Example  4: 


unallocated  arc: 

The  MG-reduction  is  not  a  Marked  Graph. 


-87- 


unallocated  arc:  p  •  t. 

>J  "T 

The  MG-reduction  is  not  strongly  connected. 

The  two  MG-reductions  cover  everything  except  t^. 
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SM-reduction  no.  2  of  Example  4: 


unallocated  arc:  •  t,. 

The  reduction  is  not  strongly  connected. 

The  two  SM-reductions  cover  everything  except  p3* 
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Preceding  page  blank 


CHA.PTFR  6 

Application  of  the  Mathematical  Results. 

In  this  chapter,  we  present  the  fell  decomposition  o£  the  example 

of  a  Weil-Formed  Production  Schema  shown  in  2.3. 

The  next  pages  show  first  a  reprodoction  o£  the  example  and  the 
corresponding  Petri  Net.  The  labels  on  the  Production  Schema  indi¬ 
cate  the  corresponding  Petri  Net  elements.  Some  contractions  have 
been  performed  in  the  translation  process,  as  suggested  in  2.4.  We 
also  have  used  only  one  transition  to  represent  the  two  operations 
labeled  j  and  j '  in  the  Production  Schema;  this  of  course  does  not 

change  the  structure  of  dependencies. 

We  then  present  all  SM-reductions  superimposed  in  bold  on  the 
original  net.  For  each  reduction,  we  indicate  the  SM-allocation  by 

crossing  out  the  unallocated  arcs. 

We  record  the  progress  of  the  reduction  algorithm  by  numbering 
the  elements  as  they  are  eliminated.  The  unallocated  places,  disap¬ 
pearing  at  step  1  <cf  5.3),  are  labelled  (1).  The  transitions  elim¬ 
inated  by  the  first  application  of  step  2  are  labelled  (2);  those 

eliminated  by  the  nth  application  of  step  2  are  labelled  (2n).  The 

places  eliminated  by  the  nth  application  of  step  3  arc  labelled  (2n+l). 

Since  there  are  three  two-input  transitions,  and  all  other  transi 
tions  have  a  single  input  place,  the  unallocated  arcs  will  be  chosen 
from  three  pairs  of  arcs.  We  therefore  expect  eight  (2  )  possible  SM- 

reductions. 

However,  two  different  SM-allocations  may  yield  the  same  reduced  net. 
This  is  illustrated  in  the  first  example  (SM-reduction  No.  1);  We  no¬ 
tice  that  the  choice  at  transition  c  eliminates  transition  m  on  move  (4), 
and  this  independently  from  the  choice  made  at  «.  Hence,  the  choice  be¬ 
tween  L  and  M  for  the  allocation  at  m  is  irrelevant:  The  two  allocations 
yield  the  same  reduced  net.  The  same  applies  to  SM-reduction  No.  4. 

in  SM-reductious  Nos.  5  and  6,  we  also  notice  a  multiple-input  tran 

.  ,.hat  has  been  deleted.  However,  this  is  due  to  the 
sition,  namely  h,  that  nas  ueeu 

.  .  .  .  p  T,„  allocated  G  to  h  instead  of  K,  we  do 
combined  choice  at  c  ano.  h;  if  we  aliocatea  u 

not  delete  h  (SM-reductions  Nos.  2  and  3). 
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Well-Forroed  Production  Schema 


h 
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unallocated 
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The  SM-allocation  of  SM-reduction  1  is  formally  the  function  B, 
consisting  of  the  set  of  pairs  (x,  B(x)): 

argument  :  x  €  E  abcdefghijklm 

value:  B(x)  €*x  ABCBF  DFGHHJEL 

We  get  the  same  reduced  net  by  replacing  the  argument-value  pair 

(m,  L)  by  (m,  M>.  We  distinguish  the  allocations  yielding  SM-reduction 

No.  1  by  calling  them  SM-allocation  No.  1  and  No.  1  bis  respectively. 

We  also  note  that  a  reduction  may  consist  of  several  disjoint 
parts.  This  should  not  be  surprising,  and  the  warning  on  page  was 
given  with  this  in  mind.  It  is  simply  convenient  not  to  distinguish 
between  the  two  interpretations  of  "strongly  connected;"  context 
usually  makes  the  difference  clear  when  it  is  relevant  (when  talking 
about  minimal  deadlocks  for  example).  We  shall  say  individual  SCSM  if 
we  want  to  emphasize  one  component. 

The  individual  SCSM's  (the  minimal  deadlocks)  are  the  SM-reductions 
Nos.  1,  4,  5,  6.  SM-reduction  Nos.  2  and  3  are  combinations  of  1  and  6 
respectively  3.  In  this  net,  all  minimal  deadlocks  are  required  to  cover 
the  net.  In  terms  of  reductions,  only  three  are  required:  2,  4,  and  5 
for  example. 

There  are  8  SM-allocations  (the  product  of  the  number  of  input  arcs 
over  all  transitions)  yielding  6  different  SM-reductions  and  4  indivi¬ 
dual  SCSM's.  Note  also  that  the  union  of  SM-reductions  No.  3  and  No.  6 
covers  all  transitions,  but  leaves  out  places  C  and  K. 

From  the  SM-decomposition  we  can  infer  a  few  facts  about  a  possible 
live-and-safe  marking. 

-  Since  there  are  four  minimal  deadlocks,  and  each  has  at  least  one 
place  that  appears  in  no  other  individual  SCSM  (four  such  places  are  G, 

K,  L,  M  for  example),  the  maximum  number  of  tokens  in  the  net  is  four. 

-  Since  no  place  is  shared  by  more  than  two  individual  SCSM's,  but  A 
is  shared  by  two  SCSM's  and  H  by  the  other  two,  the  minimum  number  of 
tokens  in  a  live  and  safe  marking  is  two.  It  is  also  easy  to  see  that 
there  is  only  one  live-and-safe  marking  class,  determined  by  the  initial 
marking  {A,  H}  for  example. 


HG-fttrfuCCion 
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The  MG-reductions  have  been  constructed  in  an  analogous  way. 

Again,  unallocated  arcs  have  been  crossed  out.  The  MG-allocation  for 
MG-reduction  No.  1,  for  example,  is  the  function  A,  consisting  of  the 
set  of  pairs  (x,  A(x)): 

argument :  x  €  I!  ABCDEFGHIJKLM 

value:  A(x)  €  x*  abcflehickhmm 

The  unallocated  transitions  are  d,  g,  j. 

Much  of  what  has  been  said  about  SM-reductions  can  be  said  about 
MG-reductions.  We  again  have  8  MG-allocations  (product  of  the  number 
of  output  arcs  over  all  places)  yielding  6  distinct  MG-reductions  and 
4  individual  SCMG's:  reductions  Nos.  1,  4,  5  and  6. The  coincidence 
with  SM-reductions  is  totally  fortuitous  (even  the  fact  that  MG- 
reductions  Nos.  2  and  3  are  composed  of  reductions  No.  1  plus  6  and  6, 
respectively);  to  show  this,  it  is  enough  to  imagine  an  additional  choice 
for  B,  going  to  F  via  a  new  transition  n,  for  example.  Now  we  would  have 
12  MG-allocations,  and  we  would  get  more  SCMG's  ,  but  the  only  change  to 
SM-reductions  would  be  that  the  individual  SCSM  No.  1  would  look  differ¬ 
ent  in  SM-reductions  Nos.  1,  2  and  3. 

Note  that  MG-reduction  No.  4  covers  all  places  by  itself,  but  tran¬ 
sitions  e,  d  and  j  are  not  covered.  A  complete  MG-covering  would  be 
2,  4,  5  for  example,  consisting  of  all  four  individual  SCMG's. 

We  can  consider  a  covering  by  SCSM's  as  a  set  of  State  Machines 
communicating  by  exchanging  synchronization  signals  via  shared  transi¬ 
tions  h,  m  and  c.  Since  we  interpret  the  net  as  a  representation  of 
some  production  facility,  these  transitions  correspond  to  points  where 
one  process  must  wait  for  another.  If  two  transitions,  say  c  and  j, 
belong  to  the  same  individual  SCSM,  they  may  represent  facilities 
using  the  same  resources,  since  they  will  never  compete  for  common  re¬ 


sources  . 
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The  decomposition  into  Marked  Graphs  shows  concurrency  among  the 
composing  State  Machines.  But  it  also  shows  possible  complete  inde¬ 
pendencies.  For  instance,  MG-reductions  Nos.  2  and  3  consist  of  two 
disjoint  SCMG's.  The  two  SCMG's  of  MG-reduction  No.  2,  however,  can¬ 
not  operate  concurrently,  because  the  individual  SCMG  No.  5  intersects 
the  individual  SCSM  No.  1  containing  SCMG  No.  1:  SCSM  No.  1  would  con¬ 
tain  two  tokens.  But  all  four  individual  SCSM's  are  needed  for  the 
covering,  and  hence  all  must  be  one- token  SCSM's. 

On  the  other  hand,  this  restriction  does  not  apply  to  MG-reduction 
No.  2,  where  the  two  components  are  indeed  totally  independent  of  each 
other. 

An  interesting  result  for  production  facilities  obtained  from  the 
Well-Formedness  Theorem  in  connection  with  MG-reductions  is  the 
following : 

If  a  production  facility  "works  properly"  for  every  constant 
set  of  decisions  (constant  predicates  for  multiple  choice 
places)  (i.e.  every  MG-reduction  is  LS,  hence  SCMG)  then  it 
"works  properly"  for  any  dynamic  choice  (i.e.  the  net  is  LS). 
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CONCLUSION 


Tills  thesis  has  extended  the  structural  analysis  methods  to  concur¬ 
rent  systems  with  decisions  and  conflicts.  Before,  most  work  in  this  area 
was  concerned  with  marked-graph  type  schemata  [3  ,  12  ] .  Baer,  Bovet  and 
Estrin  restricted  themselves  to  directed  acyclic  bilogical  (i.e.  con¬ 
junctive  and  disjunctive  nodes)  graphs  [1  ].  The  legality  they  refer  to 
corresponds  to  our  Well-Formedness;  in  that  sense  this  thesis  extends 
their  work  to  directed  cyclic  bilogical  graphs. 

The  concept  of  decomposition  of  Petri  Nets  seems  very  promising. 

It  permits  the  identification  of  meaningful  subsystems  and  their  inter¬ 
connections  in  a  complex  system.  It  may  be  used  to  enhance  structural 
transparency  in  the  synthesis  of  complex  concurrent  systems.  It  also 
provides  criteria  for  the  hang-up  free  interconnection  of  State  Ma¬ 
chines,  and  sheds  a  new  light  on  the  results  about  the  interconnections 
of  determinate  systems  obtained  by  Patil  [17]. 

An  interesting  field  of  future  research  is  the  semantic  interpre¬ 
tation  of  the  decomposition  results,  notably  the  significance  of  the 
dual  coverings  --  by  Marked  Graphs  and  by  State  Machines  --  of  Petri 
Nets.  We  expect  a  strong  influence  in  this  field  from  recent  research 
on  the  semantics  of  Petri  Nets,  by  Holt  [11]. 

A  different  approach  to  decomposition  has  been  made  by  Furtek  [8]. 
It  is  based  on  an  analysis  of  the  information  flow  along  arcs  that  gov¬ 
erns  the  token  flow  at  firings.  Combining  the  two  approaches  should 
prove  very  fruitful. 

The  next  step  will  be  to  extend  our  results  and  methods  to  wider 
classes  of  Petri  Nets.  Simple  Nets  seem  to  be  the  next  target,  and  a 
few  results  similar  to  those  for  Free  Choice  Nets  have  already  been  ob¬ 
tained  for  Simple  Nets.  Ultimately,  we  hope  to  gain  a  full  understanding 
of  the  structural  properties  of  General  Petri  Nets,  and  we  expect  that 
some  of  the  tools  provided  in  this  thesis  will  be  useful  to  that  effect. 
If  we  get  theorems  and  Live-and-Safeness  criteria  similar  to  those  ex¬ 
pressed  here  for  a  larger  class  of  Petri  Nets,  we  will  be  able  to  ex¬ 
tend  the  definition  of  Production  Schemata  to  represent  and  analyze  an 
even  larger  class  of  Systems. 
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